User Authentication: Main concept of access control.
Password: Something you know.
Token: Something you have.
Biometric: Something you are.
Multifactor: Combination of something you know/have/are.
A salt is a thing which is added to the password, usually:
saltedhash(password) = hash(password + salt), orsaltedhash(password) = hash(hash(password) + salt)(All the system stores is saltedhash and salt)
The salt is then stored along-side the password. Even better if the salt is unique to each user.
This makes attacks that use precomputed tables (e.g., rainbow table attacks) impossible (e.g., a precomputed table of common tables, or telling when users have the same password)
There is no reason passwords should be needlessly restricted other than physical UI limitations (e.g., physical keypad on an ATM).
UI is extremely important for communicating password limitations and requirements.
Even just a faulty “password strength” bar that gives a user false sense of security can encourage terrible passwords.
happiness!@#$%^, check against HaveIBeenPwned, and compare against known info (name, email, etc.), you shouldn’t even have it.Single Sign On: One set of credentials gives access to a host of services.
Remember: SSO isn’t the same as MFA, but generally we really want to secure SSO so we usually secure SSO with MFA.