In today’s digitalized world, there are many myths about how what a successful and secure password authentication system should look like.
Management generally expects from their engineering, IT or tech department to create a state-of-the-art and secure access management solution as part of the overall product development. However, it is often overlooked that the in-house IT department is focused on product development and is also specialized in this area. The development of secure access systems is not only an additional and onerous task on top of an already excruciating workload, but also not a core area of competency. Thus, both expertise and resources are often lacking here. As a result, a rather lackluster authentication solution is cobbled together or implemented and then often neglected as other topics seem to be more important. Additionally, often sales, marketing and product units put pressure on tech teams to implement more product features instead of “wasting” too much time for a secure access management solution.
At the same time, an access solution must always be kept up to date in terms of functionality and security, and it must be able to grow with the company or, better yet, scale. Unfortunately, an understanding of security too often only begins after a database, a website or a portal has been compromised. This does not have to be the case!
Even though best practices and research provide clear guidelines on how to build a state-of-the-art access management solution, the various checks below can only provide a first and quick assessment of the quality of the solution being evaluated. If any of the below factors is not following highest security standards, it does not necessarily mean that the solution is insecure. However, it can be concluded that more negative answers to the following checks make it more likely that a solution does not follow the latest security standards. In such a case, the solution should be judged by a security expert to determine if changes need to be made. The aim of such a procedure should always be to make sure to have a bullet proof and secure authentication solution to make it as difficult as possible for potential hackers and their brute force attacks or dictionary attacks.
We at Engity have many years of experience in the field and are ready to assist you with such security checks.
Below you will find a selection of quick test routines that allow you to evaluate the quality of an authentication system from the outside in four easy steps.
In addition, we have summarized the methods used by hackers to attack user accounts and how you can best protect yourself against these attacks in a separate blog series.
Check the Login Solution while Registering
Logging into a webpage, portal or database can give you valuable insights into the online security of the provider. A number of factors may help you to judge if the authentication solution is more likely to be a secure one meeting latest security standards or rather a self-developed and/or quickly implemented MVP (minimum viable product) solution.
Implemented rules for Password Lengths, Complexity or Strength
With the professionalization of the online world, with the rapidly increasing computing power of cloud-based systems, and digitization in general, the bad guys (hackers) have also successfully developed their techniques to compromise databases and access management systems. While in the beginning of the Internet a simple password offered pretty good protection, today even 8- or 10-digit passwords alone do not guarantee the integrity and security of a protected system and thus your data. While experts still debate whether password length or password complexity is more important, researchers have clearly found that password strength is the current state-of-the-art solution for a password. But how can we find out if a password authentication is following this standard?
Actually, this is quite simple! If the provided login screen is asking you for a 6, 8, 10, 12, etc. digit password often with upper- and lowercase letters, numbers and special characters, this indicates that the portal provider is still following the ancient security logic of password length eventually combined with some additional features. On the other hand, if the system does not ask for a certain password system but rather provides the user with a so-called password strength checker, this is a very good sign that the provider is up to date with the latest security standards. While entering a new password, the system with an included password strength checker helps the user to find a good and secure password.
But access systems with password strength checker alone do not make a secure system if other components are not taken into account.
Implemented further checks if hacked passwords are used
When using a password strength checker the user can be sure to have chosen a high-quality password. However, the user cannot know if this password has already been compromised and therefore can be found on lists of “pawned” (hacked) passwords somewhere in the dark web. If so, a previously strong password becomes a weak password. As computing power becomes cheaper and cheaper, hackers can afford to simply use entire lists of pawned passwords and test them against databases as part of credential stuffing attacks. Alternatively, they can, of course, continue to carry out attacks using brute force or dictionary methods.
To be on the safe side and provide their users with maximum security, portal providers should also continuously check these available pawned password lists and compare any entered password against them. If a user is entering a password which has been compromised and can be found on such a list, the user is to be warned immediately and asked to change his password.
The existence of such a checking mechanism can easily be verified by simply entering passwords like Password
, Password123
or Password123$
in the registration process. Alternatively, the user can force a password reset within an existing account and choose one of the three passwords above. Should the system not warn the user about the compromised password status, the system is not following the latest security standards. To get an idea how such a warning function can look like, we invite you to have a look at Engity’s homepage or Engity’s demo version while registering and inputting e.g., Password123
.
Check the Login Solution while Logging in
Careful analysis of the login processes to an access management solution can provide valuable information about the quality and security of an authentication solution.
Separate login screen for username and password
The first observation a user can make while logging in is to see whether they have to enter their username and password on the same or two successive login pages. Even though the answer is less relevant from a security perspective, it gives an idea of the development team’s experience with password login user interfaces and user experience. Thus, experts can make their first conclusion about the quality of a development team. Two-page access systems at least offer the possibility to implement smarter authentication flows and various access scenarios. The very fact that developers anticipate potential future adaptations (if not already implemented) indicates a higher quality system.
Automatic lock-out functionality for too often wrongly entered passwords
A good access solution with automatic lock-out functionality will detect when a password is not entered correctly and temporarily lock the system to prevent offenders from gaining access to the system via brute force, dictionary or credential stuffing attacks. Depending on the strength of the solution, the lock is temporarily activated after the 3rd, 5th, xth or so (but latest after the 10th) attempt of entering incorrect passwords. Often the system already will lock for the first time after the 3rd attempt, e.g., for 10 seconds. The more incorrect passwords the user enters, the longer the lockout period becomes. After the 10th login attempt within minutes, it is common for the system to “sleep” for an hour or so. The lock-out aims to prevent hacker bots from testing millions of different passwords against the password login solution.
Such a lock-out function is one of the most important security features in any password authentication solution. Interestingly, however it is not commonly used by website or portal providers. It can only be tested by a user with a functioning username and password. Testing a solution for the lock-out function allows to better understand the security standards of the solution.
There are different versions of lock-out features which also translate to different security levels. Having a lock-out feature that gives away the duration of the lock-out is user-friendly and better than not having a solution at all. However, informing the user (or the bot of the hacker) about the existence of a lock-out functionality as well as its duration allows to build and adapt the brute force, dictionary or credential stuffing attack accordingly.
Therefore, the best practice approach is to implement a silent automatic lock-out. This means that the user (or hacker) is informed that an incorrect username/password combination has been entered. The logic behind this message is that a user will usually reset their password after the third or fourth attempt. The hacker’s bot instead does not get the information that the lock-out functionality has been activated and constantly keeps trying, locking the access solution even further. Some advanced systems also send an e-mail to the user, informing them that they have tried to log in unsuccessfully x number of times with their username and that the user account has therefore been temporarily blocked for security reasons.
Test routine for existence of lock-out feature
To test the existence of the lock-out feature within your authentication system, simply enter an incorrect password ten times within seconds or minutes. Immediately after these attempts switch to the correct password. If you get access to the system, you know that no lock-out functionality has been implemented. Contrarily, if you cannot login with the correct credentials, it is most likely that a lock-out feature had been implemented. But no worries: Typically, after some time of inactivity, often 24 hours, the lock will lifted and you can login again with the correct credentials. Alternatively, you can regain immediate access by using the password reset functionality.
Check the Login Solution with a Knowingly Non-Existing E-mail Account
You can check the quality of an authentication system by entering entries that are unexpected for the system. By entering such non-obvious entries, you can check if the IT team having built the access management system has experience building a secure system or not. The logic behind is that experienced IT professionals or developers which have implemented authentication solutions before, generally think about the so call unexpected entries and hence include a best practice solution for such cases.
As a result, a professional access system will not let you know if the entered credentials exist or not. Hence, if you enter a non-existent e-mail as well as password, and the system tells you know that the username does not exist or that the password is incorrect, this is not a good sign. It would be better to write: “The username or password is incorrect.” This does not indicate whether a user account exists or not.
Check the Login Solution while Resetting a Password
The first step in the password reset function evaluation is to look for the password reset feature itself. If such a feature is not available, this usually means that the authentication was implemented in an unfinished state. As a result, such a system is generally also not properly tested and most of the time not quality checked.
If a password reset feature exists, you can test the behavior of the solution with a non-existent e-mail address (e.g., abc@xyz.de). If the system returns the information that the user account does not exist in the database, this is a not a good sign. Instead, the best practice return message would inform you that the password reset request has been received and that an e-mail with instructions has been sent to the provided e-mail address (if available).
Conversely, the leakage of usernames in some solutions of Apple, Google, and Microsoft may not be critical per se, as most users have an account with these providers anyway and hiding the existence does not change much. Due to this non-changeable risk, the aforementioned players invest billions into security measures trying to reduce overall security challenges and vulnerabilities of their solutions as much as possible. For smaller players with fewer financial and IT resources, it makes a lot sense not to disclose users or usernames. They are security and data privacy relevant when used in certain contexts. To give an example: The ability to test usernames on adult entertainment sites (e.g., casinos, hardcore gaming, sex or pornographic sites) can damage the reputation and privacy rights of users. In another blog post we explain how known usernames can be used to compromise user accounts and the associated user data.
Overall Evaluation of the Implemented Authentication Solution
Above, we have discussed several things to consider when deciding whether a login solution is likely to be a secure one or not. However, there are more general considerations.
If the access solution consists of multiple authentication methods (e.g., password, passwordless, Social Login, Single sign-on) or several factors (e.g. password plus one-time password) this generally is a positive sign and an indication for a certain experience of the provider with access management systems. On the other hand, such a broad security approach can also overwhelm an IT department when implementing the technologies or later within the daily operations.
To summarize, there is no quick and easy answer to the question of whether an evaluated solution is secure. If the majority of the above checks can be answered in the affirmative, this is a good sign. Generally speaking, from a security perspective, it can always be recommended to offer a two-factor authentication solution to protect user data.
Note: This article was first published in September 2023 and last updated and corrected in May 2025.