Secure Account Creation
When accounts are created several security concerns should be considered.
How to prevent interception of the account password by an unauthorized third party.
How password resets will be implemented and whether any special account information is required to support the password reset process.
Prevent a third party from using cached information on the client computer to compromise the account after the original creator has left the computer.
Depending upon the information collected during the account creation process, it may be necessary for the session between the client and server to be encrypted using the HTTPS protocol.
Transmission of personal information and any security question used for password reset should be kept separate from transmission of account password.
Prevention of robots creating accounts. Use one or more methods including limiting the client ability to attempt to create a number of accounts during a set timeframe, use a CAPTCHA test, or use information that a robot would not fill out the same as a human and check it.
The account password hash should be encrypted using HTTPS when the account is encrypted. The account password hash must be protected from unauthorized third parties both during transmission and storage, therefore it must be transmitted and stored in encrypted format.
The account creation/management software must support password requirements including:
A password/passphrase length of at least 127 two byte characters must be supported.
Minimum complexity rules for passwords must be enforced including minimum length, multiple character types including 3 of 4 types of lower case, upper case, numeric, and special characters.
Account lockout for a minimum number of bad logon attempts (normally 3-4) must be supported. Account reset can be automatic and unlocked after a minimum of 30 minutes or may be set so only administrators can unlock the account.
The system should create logs of account creation attempts and account access access attempts. Logs should be kept as specified by the data retention policy.
The account creation page should use one or more methods to prevent automated creation of accounts including:
Limit the client's ability to create more than a set number of accounts from a specific IP address during a set timeframe. Perhaps a 15 second delay in server response for every account creation page attempt. Or measure the amount of time for the page to be filled out and returned after it is loaded. If the time is too short, it may be a machine.
When an account is created, the system should send an email to the email the account was created under and require the email address to be verified prior to activation of the account. Accounts not verified within 24 hours should be logged and deleted. The email verification process will reduce the need for the CAPTCHA page.
Utilize CAPTCHA test software to prevent spamming of the account creation page.
The account creation page should not be cached in the user browser.
Account Information Fields
Logon ID (8 characters minimum)
Confirm Email address
Choice of secure personal information questions that can be used for password reset (if password reset is a feature) and answer. This information must be transmitted and stored in encrypted form and not cached in the user's browser.
Some personal information either for site use depending on the type of site or to help with verification of identity including:
Height (if adult)
Eye and hair color
Hemisphere you live in (east, west, north, south)
Continent you live on
Depending upon the site, personal information such as who you are, your hobbies, goals, etc.
The page that accepts the account password must only be accepted by the server when the account is being created in order to prevent an attacker from using the page to set the account password.