Quiz Entry - updated: 2026.07.14
What measures are needed to protect authentication systems?
Layer defenses: salted slow-hash storage, a strong password policy, generic error messages, lockout + rate limiting, HTTPS everywhere, and MFA on top.
| # | Measure | Why it matters |
|---|---|---|
| 1 | Unique username | Prevents enumeration of valid accounts |
| 2 | Password policy | Min length ≥ 12 chars, check against breached password lists |
| 3 | Correct password storage | Hash with salt using bcrypt/Argon2 (NOT MD5/SHA1!) |
| 4 | No default credentials | admin/admin is the first thing attackers try |
| 5 | Generic error messages | "Invalid credentials" — don't reveal if username exists |
| 6 | Temporary lockout | After 5-10 failed attempts, lock for increasing duration |
| 7 | Rate limiting | CAPTCHA, throttling — stops automated attacks |
| 8 | HTTPS everywhere | Credentials in plaintext over HTTP = instant compromise |
| 9 | Monitoring & WAF | Detect attack patterns in real-time |
| 10 | Multi-factor auth | Even if password is stolen, second factor protects account |
See: OWASP Authentication Cheat Sheet
Go deeper:
PortSwigger — Securing authentication mechanisms — concise checklist (encrypt credentials, anti-enumeration, brute-force prevention, MFA).