Best practices for web login / authentication?

Question

Writing the code for the user authentication portion of a web site (including account registration, logins, and password resets) is pretty simple, but what do you need to ma

Answer 1

On the username topic, it depends on how the username will be used on the site (beyond logging in). If your site is based on user generated content and you display the username with the content, allow the user to pick their own and make sure it is not an email address. Also, if the username will be displayed, I generally provide a bit of a warning on the registration form to let the user know, so they don't use their full name only to be angry later when it is displayed on the site.

I would recommend checking the availability and validity of a username through some type of Ajax call while the user is on the form. Having the form re-load with the password and password confirmation gone, just to have to think of a new username and re-input the data is a pain.

Other things to consider would be to enforce min/max lengths and some rules around passwords... don't make it difficult to sign up though. Also, accept special characters in the password. I have a couple of very strong passwords that I like to use and a lot of sites don't let me use them, so my account ends up being less secure than I would have made it on my own.

CAPTCHA is a good idea, just make sure it isn't super-difficult to figure out, that can be frustrating too.

There are a lot of things to consider and several options for each, but hopefully this will get you started.