If you haven't seen it yet, there's a post over on StackOverflow that's been growing over the past few days about form-based authentication in websites. The author wants to make a definitive resource for people to use when making good, secure user authentication systems.
Please help us create the definitive resource for this topic. We believe that stackoverflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variations on common problems. "Form Based Authentication For Websites" should be a fine topic for such an experiment.
They want to include topics like logins, storing passwords, "forgot password" security, OpenID, browser autocompletion, password strength, email validation and more. They already laid out eight different sections with summaries including:
- How To Remain Logged In - The Infamous "Remember Me" Checkbox
- Using Secret Questions
- Checking Password Strength
- Much More - Or: Preventing Rapid-Fire Login Attempts
- Two-Factor Authentication and Authentication Providers
There's some good feedback from other users with other suggestions and links to external resources that could shed some more light on the topic.