Background
Classic mistakes: no rate limiting on failed logins, predictable password resets, sessions that never expire, no MFA.
Questions to ask yourself
- Does our customer portal allow weak passwords?
- Does it lock accounts after repeated failed attempts?
- Do password reset emails expire quickly?
- Do we offer or require MFA?
- How long do sessions stay alive?
What you can do today
Don't roll your own auth
Authentication is a solved problem.
- 01Use a recognised authentication provider (Auth0, Microsoft Entra ID, AWS Cognito, Okta, Clerk).
- 02Enforce MFA for any account handling money or personal data.
- 03Set sensible password rules (long over complex), use modern hashing (bcrypt/argon2), rate-limit attempts.