User Management- It’s Not as Easy as You Think

One of the most troublesome things is the management and security of user information.

Photo by Martin LONGIN on Unsplash

Really! Signing up is difficult?

Unlike you might imagine, registering / logging in and managing users is not that simple at all. It can get pretty messy with the following features:

• Allow users to register, log in by email
• User decentralization
• Integration with Gmail, Facebook
• Integration with existing user systems in the enterprise
• Reset password when users forget
• Block account when a user enters wrong password many times
• Secure API with mobile app
• Two factor authentication (two factor authentication) with important accounts
• Management: Add, delete, delete, edit users

User Management

When this feature is stable, no one compliments it for a single sentence. However, as long as it encounters a bit of a problem, you’re sure to suffer loads of rage from your customers.
Most important — Don’t save passwords!
Developer must memorize the following statement

Absolutely never save customer passwords, no matter what your boss says!
As a mindful developer, you should never save a client’s password in the database (remember it the third time).
The consequences of this are not serious, at most losing the face of the company, losing customer accounts and making customers switch to other services only.

If I don’t save my password, how can a user login?

When this feature is stable, no one compliments it for a single sentence. However, as long as it encounters a bit of a problem, you will be sure to suffer loads of rage from your customers.
Most important — Don’t save passwords!
Developer must memorize the following statement

Absolutely never save customer passwords, no matter what your boss says!
As a mindful developer, you should never save a client’s password in the database (remember it the third time).
The consequences of this are not serious, at most losing the face of the company, losing customer accounts and making customers switch to other services only.

If I don’t save my password, how can a user login?

What to do when the user forgot the password?

Since the password is not stored in the database, we cannot email the password to the user when they forget the password. Here we have 2 solutions.

Method 1: Reset a new password randomly and then send it to the user

This method can reveal the password because the email can be read. In addition, if hackers know the email address, hackers can take advantage of it to mass reset users’ passwords, to prevent them from logging into the system.

Method 2: Send the link to reset the user

Based on the account, we create a reset token and attach it to the link: http://shop.com/resetpass?token=1234 , send this link to the mail for the user.

Method 2: Send the link to reset the user

User uses this link to reset password. With this way, even if the hacker has a reset request, the user password remains the same, not affected.

As mentioned above, because the email is not secure, the token should be expired soon after using it, or after 24–48 hours after the email is sent.

Prevent password guessing

Photo by Dan Nelson on Unsplash

To detect the password, the hacker can write a bot, in turn, submit the username and password until login. To prevent this, apply the following methods:

• When the user logs in incorrectly, do not report the wrong username or password. Just say the username or password does not match, the hacker will have more difficulty.
• Hackers take advantage of the password reset function to detect if a user has email on that page or not. Whether the account exists or not, we only show the message: sent message.
• Limit the number of login attempts when entering a wrong password. For example, after 3 times of entering the wrong password, the account will be locked in 10 minutes. Hackers can use this method to block user accounts, so be careful. Can incorporate additional capcha.

Note: These ways can be annoying for the user, if the data is not too important (game, web Q&A, communication, entertainment …), some factors can be loosened.

Small measure to increase security

Some other points to note:

• With important operations such as changing email, changing password, deleting nick, it is necessary to force users to re-enter password. The reason is that sometimes users may steal cookies, or forget to lock the device. Look at Facebook and Google, both of these pages require us to re-enter your password when you want to change your password.
• For applications that need high security, they must have Two-factor verification. I am currently using it, even if you know my Gmail or WordPress password. can not login.
• You should encourage (or force) users to use a long password, accompanied by letters and numbers, capital letters and special characters.
• The machine is very modern when cracking the password, you can go here to test how long it takes the machine to find out your password.
• If your site does not have HTTPS, or the team has no experience doing security, just let the others worry. You can use OAuth, allowing users to log in from Google, Facebook.

At this point, Google, Facebook will be responsible for managing the user’s password and data. Users do not need to register for multiple accounts, a double job. Learn more at https://oauth.io/ or https://auth0.com/.

Remember, security is a huge discipline, the world of security is vast. New security bugs appear every day, not less than new technology in programming.