Easiest way to manage user password in a Web App.

Scenario

I'm helping in an internal project for a Web Application developed in Angular and C#. Right now, the admin can create a new user and enter a password himself or herself. In my opinion this is not secure enough nor private as the latter has to manually enter a new password. This is not only time consuming but prone to error even if they won't be creating new users often.

Alternatives

There are plenty of popular use cases such as:

  • generating a magic link for the new user to enter his or new password in a separate page
  • use of OAuth and enable logging in through external providers such as Gmail and Facebook
  • Two Way Authentication, required for the initial login with the system sending a code to the new user's mobile phone
  • Multi-Factor Authentication

This is the normal flow for most modern applications on the web.

Easiest Solution

A much simpler and easier option is to discard the password field from the UI completely. When the admin creates a new user, the latter receives an email with a strong securely generated password. In this way, apart from the user, nobody else knows the password.

If the user forgets his or her password, we can also add a reset password button in the User Management UI, which will send an email with the new password.

This is by no means a novel idea and has been present in applications for years now. It is, however, an ideal solution for quickly improving the user management security especially in Minimum Viable Products (MVP).

Database

In the database, only the hashed password is stored. When we need to verify it, the given password will be hashed to check if they match. At no point, the passwords are clearly stored in the database.

Also in the User Interface, the frontend should not send the clear password to the API but instead already use a hashing mechanism such as BCrypt. If a man in the middle intercepts this data, he or she will have the encrypted password and not the real one. We can also encrypt the whole payload required for login.