password-based-authentication
Security pattern for implementing password-based authentication. Use when designing login systems with username/password, implementing password storage, hashing, salting, peppering, password policies, or password reset flows. Specialization of the Authentication pattern.
Security pattern for implementing password-based authentication. Use when designing login systems with username/password, implementing password storage, hashing, salting, peppering, password policies, or password reset flows. Specialization of the Authentication pattern.
Password-Based Authentication Security Pattern
A subject proves identity by providing a correct identifier (username/email) and corresponding password. Relies on the assumption that only the actual owner knows the correct password.
Core Components
| Role | Type | Responsibility |
|---|---|---|
| Subject | Entity | Provides identifier and password |
| Enforcer | Enforcement Point | Ensures authentication before action processing |
| Verification Manager | Entity | Collects inputs for password verification |
| Comparator | Decision Point | Compares hash values |
| Hasher | Cryptographic Primitive | Calculates hash values |
| Password Store | Storage | Keeps hash values for registered identities |
| Registrar | Entity | Handles subject registration |
| Resetter | Entity | Handles credential reset |
| Password Policy | Information Point | Rules passwords must satisfy |
| SRNG | Cryptographic Primitive | Secure random number generator |
Data Elements
- id: Identifier (username, email)
- pwd: Password provided by Subject
- hash(pwd): Hash value of password
- salt: Random value unique per Subject
- pepper: System-wide secret for additional protection
Password Hashing
Required Approach
- Use modern password hashing algorithms: Argon2, scrypt, bcrypt, or PBKDF2
- Never use general-purpose hash functions (MD5, SHA-1, SHA-256) alone
- Always use salting (typically automatic with modern algorithms)
Salting
- Add random string unique per Subject before hashing
- Ensures identical passwords produce different hashes
- Salt stored in plaintext alongside hash
- Modern algorithms handle salt automatically
Peppering (Optional)
- System-wide secret added before hashing
- Stored separately from password store
- Provides additional protection if password store is compromised
Registration Flow
Three approaches for credential determination:
- Subject provides identifier and password
- Subject provides identifier; Registrar selects password
- Registrar selects both identifier and password
Upon completion:
- Password Store contains: identifier, hash(salted password), salt
- Subject possesses: identifier and password
Password Policy
Enforce policies including:
- Minimum/maximum length
- Character requirements
- Common password blacklist
- Breach database checking
Password Reset
- Verify Subject identity through out-of-band channel
- Generate time-limited reset token
- Never reveal whether account exists
- Invalidate existing sessions after reset
- Force re-authentication
Security Considerations
Password Store Protection
- Encrypt at rest
- Restrict access
- Monitor for breaches
- Detect tampering
Identifier Security
- Don't rely on identifier secrecy
- Prevent enumeration attacks
- Use consistent timing for valid/invalid identifiers
Verification Timing
- Use constant-time comparison
- Prevent timing attacks
Implementation Checklist
- [ ] Using Argon2/scrypt/bcrypt/PBKDF2
- [ ] Automatic salting enabled
- [ ] Password policy enforced
- [ ] Secure reset flow implemented
- [ ] Rate limiting on login attempts
- [ ] Constant-time hash comparison
- [ ] No credential logging
References
- Source: https://securitypatterns.distrinet-research.be/patterns/01_01_002__authentication_pwd/
- OWASP Password Storage Cheat Sheet
You Might Also Like
Related Skills
create-pr
Creates GitHub pull requests with properly formatted titles that pass the check-pr-title CI validation. Use when creating PRs, submitting changes for review, or when the user says /pr or asks to create a pull request.
n8n-io
electron-chromium-upgrade
Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.
electron
pr-creator
Use this skill when asked to create a pull request (PR). It ensures all PRs follow the repository's established templates and standards.
google-gemini
clawdhub
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.
moltbottmux
Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
moltbot
create-pull-request
Create a GitHub pull request following project conventions. Use when the user asks to create a PR, submit changes for review, or open a pull request. Handles commit analysis, branch management, and PR creation using the gh CLI tool.
cline