LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What measures are needed to protect authentication systems?

Layer defenses: salted slow-hash storage, a strong password policy, generic error messages, lockout + rate limiting, HTTPS everywhere, and MFA on top.

# Measure Why it matters
1 Unique username Prevents enumeration of valid accounts
2 Password policy Min length ≥ 12 chars, check against breached password lists
3 Correct password storage Hash with salt using bcrypt/Argon2 (NOT MD5/SHA1!)
4 No default credentials admin/admin is the first thing attackers try
5 Generic error messages "Invalid credentials" — don't reveal if username exists
6 Temporary lockout After 5-10 failed attempts, lock for increasing duration
7 Rate limiting CAPTCHA, throttling — stops automated attacks
8 HTTPS everywhere Credentials in plaintext over HTTP = instant compromise
9 Monitoring & WAF Detect attack patterns in real-time
10 Multi-factor auth Even if password is stolen, second factor protects account

See: OWASP Authentication Cheat Sheet

Go deeper:

From Quiz: SPRG / Authentication & Session Management | Updated: Jul 14, 2026