igbuend/password-based-authentication-pattern
skills/password-based-authentication-pattern/SKILL.md
Security pattern for implementing password-based authentication. Use when designing login systems with username/password, implementing password storage, hashing, salting, peppering, password policies, or password reset flows. Specialization of the Authentication pattern.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard password-based-authentication-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:20 PM77.6s1 file scanned
SKILL.md
- name:
- password-based-authentication-pattern
- description:
- Security pattern for implementing password-based authentication. Use when designing login systems with username/password, implementing password storage, hashing, salting, peppering, password policies, or password reset flows. Specialization of the Authentication pattern.
Password-Based Authentication Security Pattern
A subject proves identity by providing a correct identifier (username/email) and corresponding password. Relies on the assumption that only the actual owner knows the correct password.
Core Components
| Role | Type | Responsibility | |------|------|----------------| | Subject | Entity | Provides identifier and password | | Enforcer | Enforcement Point | Ensures authentication before action processing | | Verification Manager | Entity | Collects inputs for password verification | | Comparator | Decision Point | Compares hash values | | Hasher | Cryptographic Primitive | Calculates hash values | | Password Store | Storage | Keeps hash values for registered identities | | Registrar | Entity | Handles subject registration | | Resetter | Entity | Handles credential reset | | Password Policy | Information Point | Rules passwords must satisfy | | SRNG | Cryptographic Primitive | Secure random number generator |
Data Elements
- id: Identifier (username, email)
- pwd: Password provided by Subject
- hash(pwd): Hash value of password
- salt: Random value unique per Subject
- pepper: System-wide secret for additional protection
Password Hashing
Required Approach
- Use modern password hashing algorithms: Argon2, scrypt, bcrypt, or PBKDF2
- Never use general-purpose hash functions (MD5, SHA-1, SHA-256) alone
- Always use salting (typically automatic with modern algorithms)
Salting
- Add random string unique per Subject before hashing
- Ensures identical passwords produce different hashes
- Salt stored in plaintext alongside hash
- Modern algorithms handle salt automatically
Peppering (Optional)
- System-wide secret added before hashing
- Stored separately from password store
- Provides additional protection if password store is compromised
Registration Flow
Three approaches for credential determination:
- Subject provides identifier and password
- Subject provides identifier; Registrar selects password
- Registrar selects both identifier and password
Upon completion:
- Password Store contains: identifier, hash(salted password), salt
- Subject possesses: identifier and password
Password Policy
Enforce policies including:
- Minimum/maximum length
- Character requirements
- Common password blacklist
- Breach database checking
Password Reset
- Verify Subject identity through out-of-band channel
- Generate time-limited reset token
- Never reveal whether account exists
- Invalidate existing sessions after reset
- Force re-authentication
Security Considerations
Password Store Protection
- Encrypt at rest
- Restrict access
- Monitor for breaches
- Detect tampering
Identifier Security
- Don't rely on identifier secrecy
- Prevent enumeration attacks
- Use consistent timing for valid/invalid identifiers
Verification Timing
- Use constant-time comparison
- Prevent timing attacks
Implementation Checklist
- [ ] Using Argon2/scrypt/bcrypt/PBKDF2
- [ ] Automatic salting enabled
- [ ] Password policy enforced
- [ ] Secure reset flow implemented
- [ ] Rate limiting on login attempts
- [ ] Constant-time hash comparison
- [ ] No credential logging
References
- Source: https://securitypatterns.distrinet-research.be/patterns/01_01_002__authentication_pwd/
- OWASP Password Storage Cheat Sheet
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-password-hashing-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026