Writing the code for the user authentication portion of a web site (including account registration, logins, and password resets) is pretty simple, but what do you need to make a really good user authentication setup? For example, I’d consider not storing plaintext passwords to be a bare minimum requirement for a web site, but that piece of advice seems to be largely transmitted by word of mouth, and plenty of sites still fail to follow it.
What is some other good advice or good requirements for the user auth portion of a web site? For example, should usernames be user-selected, or should they be email addresses? Any pitfalls for the user registration portion? (CAPTCHAs are probably worth a whole topic by themselves.) Any pitfalls for the password reset portion? Anything else?
Edit:
Somewhat duplicated here : best-practices-for-login-pages
Encryption
There was a question about this yesterday – ‘Why should I care about hashing passwords anyway?‘ which covers all the reasons why you should do this.
Captcha
I disagree with Ricardo on the captcha point – always require a captcha, even really unpopular sites get targetted by spammers. I have blogs that I set up to test some bits of code that I never linked to from anywhere else that were miraculously found by spammers. When a spammer has flooded your site with zillions of identical posts about viagra you’ll regret not taking the extra 20 mins to install a captcha. reCaptcha has some plugins that make installing it pretty simple, AND you get to help them digify books.
Don’t forget that visually impaired users will need an audio captcha.
Forgot password
If you have confirmed the user’s email address then you can just generate a random new password for them. Make sure to prompt them to change their password immediately though as people will forget randomly generated passwords straight away.
Emails
DON’T bother trying to implement complex regex’s that cover all possible email addresses. Do a simple check for an @ and then let the user click on a link sent to their email address to verify. This is common practice these days but I still come across people trying to get ‘clever’ about it.
Form validation
As well as your server side validation on the registration form you should have client side validation in the form of AJAX to let the user know as they’re filling it out whether their chosen username is taken, whether their password is acceptable, etc. Users can get frustrated by having to re-submit registration forms several times.
Authentication itself
It’s nice to let people log in with either their username or email address as people are more likely to remember email addresses than usernames, especially if they haven’t been to your site in a while.
If your site needs added security (for example, if you’re selling stuff and people can get it just by logging in), request another piece of information. Asking for their zip/postal code is a good idea as it only takes a few extra seconds to type and makes it considerably more difficult to brute force passwords.