Authentication Security Checklist: 29-Item Guide

TL;DR

Use a proven auth library (NextAuth, Clerk, Auth0). If rolling your own: hash passwords with bcrypt/argon2, use secure session cookies, implement rate limiting on login, and make password reset tokens single-use and time-limited. 8 critical items must be fixed before launch, 14 important items within the first week, and 7 recommended items when you can.

Quick Checklist (5 Critical Items)

Passwords hashed with bcrypt or Argon2Never store plain text or use MD5/SHA1

Session cookies are HttpOnly and SecurePrevents JavaScript access and requires HTTPS

Rate limiting on login attemptsLimit attempts per IP and per account

Password reset tokens are single-useToken is invalidated after use

::checklist-item{label="Generic error messages on login" description=""Invalid credentials" not "User not found" or "Wrong password""} ::

Password Security 4

Passwords hashed with bcrypt or Argon2Never store plain text or use MD5/SHA1. How to hash passwords securely

Minimum password length enforcedAt least 8 characters, recommend 12+. How to set password requirements

Check against breached password listUse HaveIBeenPwned API or similar. How to check breached passwords

No password hints storedPassword hints can leak information. Password security best practices

Login Security 5

Rate limiting on login attemptsLimit attempts per IP and per account. How to implement rate limiting

::checklist-item{label="Generic error messages" description=""Invalid credentials" not "User not found" or "Wrong password". How to secure error messages"} ::

Account lockout after failed attemptsTemporary lockout after 5-10 failed attempts. How to implement account lockout

CAPTCHA on login formAdd after failed attempts or for suspicious behavior. How to add CAPTCHA

Login activity loggingLog successful and failed logins for security monitoring. How to log security events

Session Management 6

Session cookies are HttpOnlyPrevents JavaScript access to session cookie. How to secure session cookies

Session cookies are SecureOnly sent over HTTPS. How to secure session cookies

SameSite attribute setUse Lax or Strict to prevent CSRF. How to prevent CSRF

Session regeneration on loginGenerate new session ID after successful login. How to prevent session fixation

Session timeout configuredAuto-logout after inactivity period. How to configure session timeout

Logout invalidates sessionSession is destroyed server-side, not just cookie deleted. How to implement secure logout

Password Reset 6

Reset tokens are cryptographically randomUse crypto.randomBytes or equivalent. How to generate secure tokens

Reset tokens are single-useToken is invalidated after use. How to implement single-use tokens

Reset tokens expire quickly1 hour or less is recommended. How to configure token expiration

::checklist-item{label="Same response for existing/non-existing emails" description=""If an account exists, you'll receive an email". How to prevent account enumeration"} ::

Rate limiting on reset requestsPrevent email bombing and enumeration. How to rate limit reset requests

All sessions invalidated on password changeForce re-login on all devices after password change. How to invalidate all sessions

OAuth/Social Login 4

State parameter used and verifiedPrevents CSRF attacks on OAuth flow. How to secure OAuth

Redirect URIs are exact matchesNo wildcards in OAuth redirect configurations. How to configure OAuth redirects

Minimum scopes requestedOnly request permissions you actually need. How to choose OAuth scopes

Email verified before account linkingPrevent account takeover via unverified OAuth email. How to verify OAuth emails

JWT Security (if applicable) 4

Strong secret keyAt least 256 bits of entropy. How to generate JWT secrets

::checklist-item{label="Algorithm specified and verified" description="Prevent "none" algorithm attacks. How to prevent JWT algorithm attacks"} ::

Short expiration timesAccess tokens should be short-lived (15-60 min). How to configure JWT expiration

Refresh token rotationIssue new refresh token on each use. How to implement refresh token rotation

Authentication Best Practices

If possible, use a proven authentication library or service like NextAuth, Clerk, or Auth0 rather than implementing auth from scratch. These solutions handle many security edge cases automatically.

What hashing algorithm should I use for passwords?

Use bcrypt or Argon2 for password hashing. Never use MD5, SHA1, or plain SHA256. These dedicated password hashing algorithms are designed to be slow and include salting, which protects against rainbow table and brute force attacks.

Should I use JWT or session cookies?

Both can be secure if implemented correctly. JWTs are stateless and good for APIs, but can't be revoked easily. Session cookies stored in HttpOnly cookies with database-backed sessions allow revocation but require server-side storage. Choose based on your revocation needs.

How long should password reset tokens last?

Password reset tokens should expire within 1 hour or less. They should be single-use (invalidated after the password is changed) and cryptographically random (at least 32 bytes). Always hash the token before storing it in the database.