Auth Best Practices

Accepting any password — including '123' or 'a' — makes your user accounts trivially vulnerable to credential stuffing and brute force attacks.

A login endpoint without rate limiting can be brute-forced thousands of times per second until a valid password is found.

Without multi-factor authentication, a stolen or guessed password is all it takes to fully compromise an account.

Allowing unverified email accounts lets attackers register with someone else's email address, potentially locking them out or impersonating them.

Password reset links that never expire stay valid indefinitely — an old email in a breach gives attackers a permanent account takeover path.

Not providing a 'log out all devices' option leaves sessions active on stolen or forgotten devices indefinitely.

Not notifying users of new logins means they have no way to know if their account was accessed from an unfamiliar device.

Without real-time feedback on password strength, users default to weak passwords they already know — even when you require complexity.

Destructive or irreversible actions (delete account, transfer funds, change email) without a confirmation step are vulnerable to CSRF and accidental clicks.