TL;DR notes from articles I read today.
- Impose a cryptographically strong irreversible hash of the password, salting it with a value unique to that specific login credential.
- Separate user identity from the user account, designing your user management system for low coupling and high cohesion between different parts of a user’s profile. Allow users to change usernames and link multiple identities to a single user account.
- Keep username rules reasonable, remain case-insensitive and avoid restricting length and character set. Also, allow as long and complex a password as a user wants (your hashing will condense it anyway).
- Consciously decide on thresholds for session length and re-verify authentication for security in case of certain events like password resets, critical profile changes, logins from new devices or too many devices, or a sensitive action with perhaps financial implications. Offer users the option for increased security when alerting for such events and ensure even unsaved activity prior to authentication are preserved.
- Build a secure authorization system, with password reset and not retrieval, detailed activity logging, rate-limiting of login attempts, locking out users after several unsuccessful attempts, and 2-factor re-authentication for new devices or long-idle accounts.
Full post here, 9 mins read
- Realize that software is never done because customers find more uses for it and request more features. So, the code keeps getting bigger and more complex. And also it is never done by one developer alone. The aggregation results in complexity and in turn bugs, so plan for failures and build in issue tracking, logging and error handling.
- Develop the skill of reading code to understand what it does and how. Write code that is easier to read and hence to modify.
- Modularize the software into subsystems, layers or modules based on small chunks of functionality. Develop in small iterations and apply repeatable unit tests to ensure they work as expected and stay decoupled.
- Write for people first and the computer second. It’s better to be clear than to be clever. Impose good version control.
Full post here, 8 mins read