User Management- It’s Not as Easy as You Think

Photo by Martin LONGIN on Unsplash

Really! Signing up is difficult?

Unlike you might imagine, registering / logging in and managing users is not that simple at all. It can get pretty messy with the following features:

  • Allow users to register, log in by email
  • User decentralization
  • Integration with Gmail, Facebook
  • Integration with existing user systems in the enterprise
  • Reset password when users forget
  • Block account when a user enters wrong password many times
  • Secure API with mobile app
  • Two factor authentication (two factor authentication) with important accounts
  • Management: Add, delete, delete, edit users
User Management

What to do when the user forgot the password?

Since the password is not stored in the database, we cannot email the password to the user when they forget the password. Here we have 2 solutions.

Method 1: Reset a new password randomly and then send it to the user

This method can reveal the password because the email can be read. In addition, if hackers know the email address, hackers can take advantage of it to mass reset users’ passwords, to prevent them from logging into the system.

Method 2: Send the link to reset the user

Based on the account, we create a reset token and attach it to the link: , send this link to the mail for the user.

Method 2: Send the link to reset the user

Prevent password guessing

Photo by Dan Nelson on Unsplash
  • When the user logs in incorrectly, do not report the wrong username or password. Just say the username or password does not match, the hacker will have more difficulty.
  • Hackers take advantage of the password reset function to detect if a user has email on that page or not. Whether the account exists or not, we only show the message: sent message.
  • Limit the number of login attempts when entering a wrong password. For example, after 3 times of entering the wrong password, the account will be locked in 10 minutes. Hackers can use this method to block user accounts, so be careful. Can incorporate additional capcha.

Small measure to increase security

Some other points to note:

  • With important operations such as changing email, changing password, deleting nick, it is necessary to force users to re-enter password. The reason is that sometimes users may steal cookies, or forget to lock the device. Look at Facebook and Google, both of these pages require us to re-enter your password when you want to change your password.
  • For applications that need high security, they must have Two-factor verification. I am currently using it, even if you know my Gmail or WordPress password. can not login.
  • You should encourage (or force) users to use a long password, accompanied by letters and numbers, capital letters and special characters.
  • The machine is very modern when cracking the password, you can go here to test how long it takes the machine to find out your password.
  • If your site does not have HTTPS, or the team has no experience doing security, just let the others worry. You can use OAuth, allowing users to log in from Google, Facebook.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Always be nice to anybody who has access to my toothbrush.