Complete Replit Authentication Prompt
Building a customer-facing app in Replit? This production-ready authentication prompt is designed for US-based development and non-HIPAA applications. It includes secure registration, login, password management, admin features with MFA, and complete audit logging. No security expertise required. Just copy, paste into Replit, and build. Perfect for SaaS platforms, e-commerce sites, membership platforms, and general web applications.
Important Notes
Non-HIPAA Compliant: This prompt is for general web applications, NOT healthcare or medical data
US Development: Designed for US-based development practices and standards
Suitable For: SaaS platforms, e-commerce sites, membership platforms, customer portals, general web apps
NOT Suitable For: Healthcare applications, medical records, patient data, or any HIPAA-regulated information
Customized: This is a custom login flow rather than using Replit Auth, their integrated (white-labeled) authentication
MFA: Multi Factor Authentication is done by email and not SMS
CAPTCHA Intentionally Omitted: Replit does not currently (at the time of writing this) support CAPTCHA integration. This prompt uses rate limiting and exponential backoff as bot protection instead. If you need CAPTCHA, you'll need to integrate it separately after deployment (e.g., Google reCAPTCHA, hCaptcha).
Need HIPAA compliance? Contact me for a specialized authentication prompt.
What This Prompt Builds
This comprehensive Replit prompt creates a complete, production-ready authentication system with enterprise-grade security features. Simply copy, paste into Replit, and let it build your secure login system.
-
Email & password registration
Email verification (24-hour tokens)
Secure login with rate limiting
Account lockout (20 failed attempts)
Password reset flow
Session management (30-min timeout)
Profile management
-
Mandatory Multi-Factor Authentication
Customer account management
Unlock locked accounts
Force logout sessions
Complete audit logging
Background job monitoring
Activity dashboards
-
Password hashing (bcrypt/Argon2)
CSRF protection
SQL injection prevention
XSS attack protection
Rate limiting
Secure session cookies
TLS 1.2+ encryption
Perfect For These Applications
SaaS Platforms - Customer accounts, subscriptions, team management
E-commerce Sites - Customer accounts, order history, wishlists
Membership Platforms - Community sites, online courses, content access
Customer Portals - Support tickets, account management, billing
Web Applications - Any app needing secure user authentication
Internal Tools - Employee dashboards, admin panels, management systems
Important Note on Financial Applications:
Notice that I did NOT mention financial applications. In such cases, you'll have to tweak Account Lockout to 3-5 attempts to be in alignment with PCI-DSS and other regulatory compliance requirements. Financial apps also require additional security measures beyond this prompt.
How to Use This Prompt
Step 1: Copy the Prompt
Scroll down and copy the entire prompt below (see The Complete Prompt)
Step 2: Open Replit
Go to Replit.com and start a new project
Step 3: Paste & Configure
Paste the prompt into Replit's AI chat. Replit will ask you:
What email service to use (e.g. ReSend, SendGrid, AWS SES, etc.)
Your app name
Any custom configurations
Step 4: Let Replit Build
Replit will automagically:
Choose the best backend framework
Set up the database
Create all authentication flows
Configure security features
Set up email templates
Add some sprinkles and pixie dust
Step 5: Test Everything
Use the testing checklist (separate post coming soon)
What Makes This Prompt Special
User-Friendly Error Messages
No technical jargon for customers. All error messages are clear, helpful, and actionable:
"The email or password you entered is incorrect. Please try again."
NOT: "Error 4042: Database constraint violation"
Security Best Practices
Admins can only unlock accounts, not reset passwords
Password re-entry required for sensitive admin actions
Complete audit trail of all admin activities
Mandatory MFA for all admin accounts
Automated Maintenance
Background jobs:
Deleting unverified accounts after 48 hours
Cleaning up expired tokens
Archiving old logs
Monitoring email delivery
Complete Admin Dashboard
View all customers and their activity
Unlock locked accounts
Monitor background jobs
Search and filter everything
Export audit logs
The Complete Prompt
Instructions: Copy everything in the code block below and paste it into Replit.
Create a secure user authentication system with login, registration, and password management for a customer-facing service where customers can sign up and admins can manage accounts. Registration & Email Verification: - Registration form with mandatory fields: first name, last name, email, and password - Display password requirements before user starts typing - Real-time password complexity indicator showing strength (weak/medium/strong/very strong) - Enforce password requirements: minimum 12 characters, mix of uppercase, lowercase, numbers, and special characters - Send email verification link that expires in 24 hours - Require acceptance of Terms of Service and Privacy Policy - Users cannot login until email is verified - All customer signups automatically assigned "Customer" role - Validate and sanitize all text inputs to prevent SQL injection and XSS attacks - Background job to automatically delete unverified user accounts after 48 hours Login System: - Email and password login fields - Password field hidden by default with show/hide toggle button (eye) - "Remember me" option for convenience - Implement rate limiting to prevent brute force attacks - Redirect customers to profile/dashboard after login - Redirect admins to admin dashboard after login Bot Protection (CAPTCHA Alternative): Note: Since Replit does not currently support CAPTCHA, this system uses rate limiting and exponential backoff for bot protection: - Progressive delays after failed attempts (1 sec, 2 sec, 4 sec, 8 sec, etc.) - IP-based rate limiting to detect automated attacks - Account lockout after 20 failed attempts Account Lockout Policy: - Automatically lock account after 20 consecutive failed login attempts - Lockout remains for 24 hours or until admin unlocks - Send email notification when account is locked - Lockout counter resets after successful login - Display clear message: "Your account has been temporarily locked for security. Please try again in 24 hours or contact support." Password Management: - Password history: prevent reuse of last 5 passwords - Password reset via "Forgot Password" link (reset link expires in 24 hours) - After 8 password reset attempts, delay sending email by 5 minutes - New password must meet complexity requirements with visual strength indicator Customer Profile Page: - View and edit first name and last name - View and select timezone (auto-detected from browser, with manual override option) - View email address (display only) - Change email address functionality: * Request email change * Send verification link to NEW email address * NEW email must be verified before change takes effect * Send notification to OLD email about pending change * OLD email can cancel the change (security feature) * Once new email verified, update account and send confirmation to both emails - Change password functionality - View recent login activity (date/time displayed in user's selected timezone, device type) - Export personal data (profile information, login history, activity logs) - Logout button - Delete account option (with confirmation and data purge notice) User-Facing Messages - CRITICAL: All customer-facing messages must: - Use clear, plain language - NEVER display error codes, system codes, or technical jargon - Be helpful and actionable - Be friendly and professional Examples: GOOD: "The email or password you entered is incorrect. Please try again." GOOD: "This email address is already registered. Please try logging in." GOOD: "Your password must include at least one uppercase letter." GOOD: "This verification link has expired. Please request a new one." GOOD: "Your account has been temporarily locked for security. Please try again in 24 hours." GOOD: "Please enter the verification code we sent to your email." BAD: "Error 4042: Database constraint violation" BAD: "Authentication failed (ERR_AUTH_001)" Admin Security (Enhanced): - Admin accounts MUST have Multi-Factor Authentication (MFA) enabled (mandatory, non-optional) - Admin MFA via email OTP code (6-digit code) - Admin session timeout after 15 minutes of inactivity (shorter than customer sessions) - Require password re-entry for sensitive actions: * Unlocking customer accounts * Deactivating/reactivating accounts * Viewing detailed customer activity logs * Triggering manual background jobs - Log all admin actions with: * Admin user ID and name * Timestamp * IP address * Action performed * Customer affected (if applicable) * Justification note (for sensitive actions) - Alert all Super Admins via email when any admin account logs in Admin Dashboard: - View all customers showing: * Full name * Email address * Account creation date * Account status (active/locked/deactivated) * Failed login attempt counter * Last login date - Search and filter customers by name, email, date, or status - View individual customer details: * Full profile information * Login history with timestamps and IP addresses * Active sessions * Failed login attempts * Password reset history (dates only, not actual passwords) * Account status - Failed login attempts by IP Addresses grid - Admin actions available: * Manually unlock locked accounts (requires password re-entry + justification note) * Force logout customer sessions * Deactivate/reactivate accounts (requires password re-entry + justification) * View complete activity audit trail * IMPORTANT - Admins CANNOT reset customer passwords or trigger password resets - System overview dashboard: * Total users count * Active sessions count * Failed logins today * Locked accounts count * Recent activity log * Admin activity log (recent admin actions) - Admin Management (Super Admin only): * View all admin accounts * Create new admin accounts (with automatic MFA setup) * Deactivate admin accounts * View admin login history and actions * Change admin roles (Admin or Super Admin) Customer Support for Password Issues: - If customer is locked out: Admin unlocks account → customer uses "Forgot Password" themselves - If customer can't access their email: * Admin to verify customer identity through alternative means (phone verification, account details, security questions) * Admin unlocks account only after identity verification * Customer must use "Forgot Password" to regain access - All unlock actions must include: * Justification note explaining reason * Admin password re-entry for verification * Automatic logging with full details - Customer receives email notification: "Your account was unlocked by our support team. If you didn't request this, please contact us immediately and change your password." Background Jobs Monitor (Admin View): - Display all scheduled background jobs: * Job name/type * Last run date/time * Status (Success/Failure) * Records processed * Error messages (if failed) * Next scheduled run time - Job history log with filtering - Visual status indicators (green/red/yellow) - Alert notifications when jobs fail - Manual trigger option for each job (requires admin password re-entry) Background Jobs: - Clean up unverified accounts older than 48 hours - Clean up expired password reset tokens - Clean up expired email verification tokens - Clean up expired MFA codes (admin MFA) - Archive old logs based on retention policy - Monitor email deliverability issues - Optional: Auto-unlock accounts after 24 hours - Clean up expired admin sessions Security Requirements: - Use bcrypt or Argon2 for password hashing - Use TLS 1.2+ for all data transmission - Generate cryptographically secure random tokens - Implement secure session management with httpOnly and secure cookies - Add CSRF protection on all forms - Protect against account enumeration (same message for valid/invalid emails) - Automatic session timeout: 30 minutes for customers, 15 minutes for admins - Rate limiting on all authentication endpoints - Separate rate limiting for admin login attempts (stricter than customer limits) - Admin MFA codes expire after 10 minutes - Log all failed admin login attempts with alerts after 5 failures - Create necessary database indexes for efficient lookups: * Index on users.email (for login lookups) * Index on users.id (primary key) * Index on login_attempts.user_id (for attempt tracking) * Index on password_reset_tokens.token (for reset lookups) * Index on email_verification_tokens.token (for verification lookups) * Index on sessions.user_id (for session management) * Index on admin_logs.admin_id and admin_logs.timestamp (for audit queries) Privacy & Data Handling: - All timestamps stored in UTC timezone in database - Timezone auto-detected from user's browser on first visit - User can manually override timezone in profile settings - All timestamps displayed in UI converted to user's selected timezone - IP addresses logged for security purposes and retained for 90 days - Include IP logging disclosure in Privacy Policy - Complete account deletion includes purging all user data after retention period Admin Account Creation: - Admin accounts created through secure backend process (not public registration) - Role types: Super Admin and Admin - All new admin accounts automatically require MFA setup on first login - Super Admins can create/manage other admin accounts - Initial Super Admin account created during system setup Additional Features: - User-friendly error messages (no technical jargon for customers) - Detailed error logging for admin troubleshooting - Visual feedback for form validations - Loading states for all operations - Responsive, professional UI design - Toast notifications for important events - Audit trail viewer in admin dashboard (searchable and filterable) - Admin activity dashboard showing recent admin actions Email Integration: Prompt me for email service credentials (SMTP settings or API keys) during setup. Email Templates Needed: - Email verification (customers) - Welcome email after verification (customers) - Password reset (customers) - Account locked notification (customers) - Account unlocked by admin notification (customers) - includes security warning - Password changed confirmation (customers) - Email change request verification (to NEW email) - Email change notification (to OLD email with cancel option) - Email changed confirmation (to both OLD and NEW emails) - Account deletion confirmation (customers) - Admin MFA code delivery - Admin login alert (to all Super Admins) - Account unlocked by admin alert (to customer with security notice) - Background job failure alerts (to admins) - Suspicious admin activity alert (to Super Admins) - Multiple failed admin login attempts alert (to Super Admins) Audit Logging: All admin actions must be logged with: - Admin user ID and full name - Timestamp (date and time) - IP address - Action type (unlock account, force logout, deactivate account, etc.) - Customer affected (User ID, name, email) - Justification/reason provided - Result (success/failure) - Session ID Initial Setup: - Instructions for creating the first Super Admin account securely - First Super Admin must set up MFA during initial setup - Configuration for admin email addresses - Configuration for Super Admin alert emails - Configure account lockout settings (20 attempts, 24-hour lockout) - Configure password complexity requirements - Configure session timeout settings (customers: 30 min, admins: 15 min) - Configure admin MFA settings (code expiration, delivery method) Build a complete, production-ready authentication system with clear security implementations and setup instructions. Keep the implementation simple and straightforward while maintaining good security practices. Take future scaling into consideration. CRITICAL SECURITY PRINCIPLES: 1. Customers always control their own password resets - admins can only unlock accounts 2. Admins must use MFA for all logins (mandatory, non-optional) 3. Sensitive admin actions require password re-entry 4. All admin actions are logged with full audit trail 5. Customer-facing messages are clear and friendly with no technical jargon 6. Admin dashboard can show technical details for troubleshooting
After You Build
Testing Checklist
Don't skip testing! Verify these critical features:
Registration creates account and sends verification email
Verification link works and expires after 24 hours
Login works with correct credentials
Account locks after 20 failed attempts
Password reset sends email with working link
Admin MFA is required and works
Admin can unlock customer accounts
All admin actions are logged
Background jobs run successfully
Error messages are user-friendly (no codes!)
Need detailed testing instructions? Check out my Complete Authentication Guide for step-by-step testing procedures…coming soon.
Ready to Build?
You have everything you need. Copy the prompt, open Replit, and build something amazing.
Security doesn't have to be hard. It just has to be done right.
Complete Guide to Building Secure Authentication (Part 1)
Building Secure Authentication for Replit Beginners and Vibe Coders
If you're building your first app in Replit, authentication might seem intimidating. This guide breaks down everything you need to know about user login and signup, explained in plain language.
You'll learn why password hashing matters, how account lockout stops hackers, the secure way to reset passwords, and why email verification prevents fake accounts. Every concept includes real examples showing the right way versus the wrong way.
This guide is for young engineers and vibe coders with basic programming skills who want to build authentication that actually protects users. No advanced security knowledge required.
Security isn't optional. Your users trust you with their data. This guide shows you how to build it right from day one.
For Young Engineers and Vibe Coders using Replit
Seriously, this is meant for the beginners.
Introduction - Why Security Matters
The Real Cost of Poor Security
Bad security can:
Get your app hacked and customer data stolen
Destroy your reputation and lose customers
Result in legal problems and fines
Cost thousands of dollars to fix after launch
Get your app shut down by hosting providers
Good security:
Protects your users' personal information
Builds trust with your customers
Prevents costly breaches and lawsuits
Makes your app professional and credible
Helps you sleep better at night
What You'll Learn
This guide teaches you how to build authentication (login/signup) that:
Actually works - Users can easily create accounts and log in
Is secure - Hackers can't break in or steal data
Follows best practices - Industry-standard security
Is user-friendly - Clear messages, no confusion
Prerequisites
You should know:
Basic programming (variables, functions, if/else)
How to use Replit to create a project
Basic understanding of how websites work
You DON'T need to know:
Advanced security concepts
Complex cryptography
Database administration (Replit handles most of it)
Understanding Authentication Basics
What is Authentication?
Authentication = Proving you are who you say you are
Think of it like:
Showing ID to enter a club (you prove it's really you)
Using a key to unlock your house (only you have the key)
Entering a password to unlock your phone (verification)
The Three Parts of Authentication
1. REGISTRATION (Creating an Account)
User provides: Name, Email, Password
System creates: Account in database
System sends: Verification email
Result: User has an account (but can't login yet)
2. VERIFICATION (Confirming Email)
User clicks: Link in verification email
System checks: Is link valid? Not expired?
Result: Account is verified, user can now login
3. LOGIN (Accessing the App)
User provides: Email and Password
System checks: Do these match what's in database?
Result: User gets access to their account
Why All Three Parts Matter
Without Registration: No accounts = no app
Without Verification: Fake accounts and spam everywhere
Without Login: Anyone can access anyone's account
Registration System
What Information to Collect
MUST COLLECT:
First Name - so you know what to call them
Last Name - for full name identification
Email Address - considered a unique identifier (username)
Password - their secret key to login
SHOULD NOT COLLECT (unless needed):
Phone number - only if you actually need it
Address - only for shipping/billing
Birth date - only if age verification needed
Social security number - never, unless you're finance or govt.
Why less is better:
Less data to protect = less liability
Faster signup = more users complete it
Privacy-friendly = builds trust
Password Requirements Explained
Minimum 12 Characters - Why?
Short passwords are easy to guess
12+ characters = trillions of possible combinations
Makes brute force attacks nearly impossible
Modern best practice (traditional standard is 8, but that's increasingly considered weak)
Password Strength Examples:
Weak: "password123" - Common word + numbers
Okay: "MyPassword123" - Better but still predictable
Strong: "MyP@ssw0rd#2024" - Mixed types, harder to guess
Stronger: "Tr3e$H0use!B1ue" - Even better!
Character types needed:
Uppercase letters (A-Z)
Lowercase letters (a-z)
Numbers (0-9)
Special characters (!@#$%^&*)
Password Strength Indicator
Show users in real-time how strong their password is:
User types: "pass"
Show: WEAK - Too short
User types: "password"
Show: WEAK - Add numbers and special characters
User types: "Password123"
Show: MEDIUM - Add special characters
User types: "P@ssword123"
Show: STRONG - Good to go!
Why this helps:
Users understand what's needed
No frustrating "Password rejected" after submitting
Encourages stronger passwords
Better user experience
Email Verification - Why It's Required
Without email verification:
User enters: fake@notreal.com
Creates account with fake email
You can never contact them
They might be a bot or spammer
With email verification:
User enters: real@email.com
We send verification link
User clicks link to confirm
Now we know email is real
We can contact them if needed
Verification Link Rules:
Expires in 24 hours - Security (old links don't work forever)
One-time use - Can't be reused (prevents sharing)
Unique per user - Can't be guessed
Random token - Cryptographically secure
Example Registration Flow
STEP 1: User fills form
First Name: John
Last Name: Smith
Email: john@email.com
Password: ************
[Create Account Button]
STEP 2: System validates
✓ Is email format valid?
✓ Does password meet requirements?
✓ Is email already registered?
✓ All fields filled out?
STEP 3: System creates account
Hash the password (never store plain text!)
Create database record
Generate unique verification token
Send verification email
STEP 4: User checks email
Welcome to Our App!
Click to verify:
[Verify Email]
Link expires in 24 hrs
STEP 5: User clicks link
System checks: Is token valid?
System checks: Is it expired?
If yes: Mark account as verified
Show: "Email verified! You can now login"
STEP 6: User can login
Now the account is active and ready!
Cleaning Up Unverified Accounts
The Problem:
Day 1: User creates account but never verifies
Day 2: Still no verification
Day 3: Still no verification
... (account just sits there forever taking up space)
The Solution:
Automatic cleanup after 48 hours:
Background job runs daily
Finds accounts created >48 hours ago
Finds accounts still not verified
Deletes them automatically
Frees up database space
Why 48 hours?
Gives users plenty of time (2 full days)
Removes abandoned registrations
Reduces database clutter
Prevents fake account buildup
The Login System
Simple Login - Email and Password Only
Email: john@email.com
Password: *************
[Login Button]
Remember me
Forgot password?
Why not username?
Emails are unique (can't duplicate)
Users already know their email
No "what was my username?" confusion
Industry standard practice
Password Field Best Practices
ALWAYS hide password by default:
Wrong: Password: MyPassword123 (Anyone can see it!)
Right: Password: ************* (Hidden from view)
Include show/hide toggle:
Password: ************* (Click eye to show/hide)
Why?
Protects from shoulder surfing (someone looking over shoulder)
Still lets users check if they typed correctly
Best of both worlds
Account Lockout - Your Shield Against Hackers
The Attack (Brute Force):
Hacker tries:
password
password123
Password123
P@ssword
tries thousands of passwords
Without lockout:
Hacker keeps trying forever
Eventually might guess correctly
Gets into the account
With lockout after 20 attempts:
Hacker tries 20 times
Account locks automatically
Can't try anymore
Account is protected!
Lockout Details:
When: After 20 consecutive failed login attempts
Duration: 24 hours OR until admin unlocks
User notification: Email sent immediately
Reset: Counter resets to 0 after successful login
Important: The counter tracks failed attempts PER ACCOUNT, not per IP address. This prevents an attacker from bypassing the lockout by changing their IP address.
Rate Limiting - Slowing Down Attackers
Without rate limiting:
Attacker tries 1000 passwords per second
1000 attempts × 60 seconds = 60,000 attempts per minute
Can try millions of passwords quickly
With rate limiting:
After 3 failed attempts: Wait 1 second
After 5 failed attempts: Wait 5 seconds
After 10 failed attempts: Wait 30 seconds
After 15 failed attempts: Wait 2 minutes
Massively slows down the attack!
Exponential backoff = waiting time grows:
Attempt 1: Instant
Attempt 2: Instant
Attempt 3: Wait 1 second
Attempt 4: Wait 2 seconds
Attempt 5: Wait 4 seconds
Attempt 6: Wait 8 seconds
...doubles up each time
Session Management - Staying Logged In Safely
What is a session?
When you login, system creates a "session"
Session = temporary permission to be logged in
Session has an ID (like a temporary password)
Session stored in secure cookie
Session timeout - Why it matters:
Scenario: You login at library computer, walk away, forget to logout
Without timeout:
You're logged in forever
Next person uses computer
They access your account!
With 30-minute timeout:
After 30 minutes of no activity
System logs you out automatically
Your account is safe!
Timeout durations:
Customers: 30 minutes (balance of convenience and security)
Admins: 15 minutes (more sensitive, shorter timeout)
"Remember Me" option:
☑️ Remember me for 30 days
What this does:
Keeps you logged in for 30 days
Even after closing browser
Skip login on your personal devices
Still requires password if session expires
When to use "Remember Me":
Your personal computer
Your phone
Public computers
Shared devices
Work computers (if personal account)
Password Management
Password Hashing - The #1 Rule
NEVER STORE PASSWORDS IN PLAIN TEXT!
ABSOLUTELY WRONG (NEVER DO THIS):
Database: ┌──────┬───────────────┬──────────────┐ │ User │ Email │ Password │ ├──────┼───────────────┼──────────────┤ │ 1 │ john@mail.com │ MyPass123! │ │ 2 │ jane@mail.com │ Secret456# │ └──────┴───────────────┴──────────────┘ If database is hacked → All passwords stolen!
RIGHT (ALWAYS DO THIS):
Database: ┌──────┬───────────────┬────────────────────────────┐ │ User │ Email │ Password Hash │ ├──────┼───────────────┼────────────────────────────┤ │ 1 │ john@mail.com │ $2b$10$N9qo8uL... │ │ 2 │ jane@mail.com │ $2b$10$8xKzQ2... │ └──────┴───────────────┴────────────────────────────┘ If database is hacked → Passwords are gibberish! Hacker can't reverse the hash to get real password!!!
What is Hashing?
Hashing = One-way encryption
Password: "MyPass123!" ↓ (hash with bcrypt) Hash: "$2b$10$N9qo8uLTnmicShA..." ↓ (IMPOSSIBLE to reverse!) ✗ Can't get back to "MyPass123!"
How login works with hashing:
Login attempt:
User enters: "MyPass123!"
System hashes input: $2b$10$N9qo8uLTnmi...
System compares to stored hash
If they match → Password correct!
If they don't match → Password wrong!
Use bcrypt or Argon2:
These are trusted hashing algorithms
Specifically designed for passwords
Include "salt" (random data) to prevent attacks
Industry Standard
Example Code Concept
When user registers:
plainPassword = "MyPass123!"
hashedPassword = bcrypt.hash(plainPassword)
save hashedPassword to the database
When user logs in:
inputPassword = "MyPass123!"
storedHash = fetch from database
if bcrypt.compare(inputPassword, storedHash):
login successful!
else:
login failed.Password Reset - The Secure Way
User clicks "Forgot Password":
STEP 1: User enters email
Enter your email: john@email.com
[Send Reset Link]
STEP 2: System generates token
Create random secure token (e.g., "7x9K2mP...")
Save token in database with:
* User ID
* Expiration time (24 hours from now)
* Status: unused
Send email with reset link
STEP 3: Email sent
Password Reset Request
Click to reset: [Reset Password]
Link expires in 24 hrs
STEP 4: User clicks link
System checks: Is token valid?
System checks: Is it expired?
System checks: Was it already used?
If all okay: Show new password form
STEP 5: User sets new password
New Password:
*************
Confirm Password:
*************
[Set New Password button]
STEP 6: System saves new password
Hash the new password
Save hash to database
Mark token as "used"
Send confirmation email
User can now login!
Security features:
24-hour expiration - Old links stop working
One-time use - Can't use same link twice
Random token - Impossible to guess
Rate limiting - After 8 attempts, delay 5 minutes
Email notification - User knows about reset request
Why rate limiting on reset?
Attacker spam-requests resets for victim's email:
1st-8th request: Immediate
9th request: WAIT 5 MINUTES
10th request: WAIT 5 MINUTES
This prevents:
Inbox flooding
Denial of service
Harassment
Password History - Prevent Reuse
The problem:
User's password leaked in data breach
Hacker knows password is "MyPass123!"
Without password history:
User resets to "NewPass456"
Later changes back to "MyPass123!"
Hacker still has valid password!
With password history:
User tries to change to "MyPass123!"
System: "You've used this before"
User must choose different password
How it works:
System stores hashes of last 5 passwords:
$2b$10$N9qo8uL... (current)
$2b$10$K7mP3sT... (previous)
$2b$10$R4xY9wQ... (2 passwords ago)
$2b$10$L1nB5vF... (3 passwords ago)
$2b$10$M8pT2rD... (4 passwords ago)
When user changes password:
System checks new password against all 5
If match found: Reject change
If no match: Accept new password
Add new hash to history
Remove oldest hash
Why 5 passwords?
Balances security and usability
Prevents immediate reuse
Not too restrictive - users can still find a new password
Industry standard
This is Part 1 of the guide. The complete guide continues with:
Admin Security
Error Messages Done Right
Email Integration
Database Security
Common Pitfalls
Testing Your Security
Troubleshooting Guide
Key Takeaways So Far
You've learned:
Why security matters for your app's success
The three parts of authentication (registration, verification, login)
How to collect the right information from users
Why password requirements protect your users
How email verification prevents fake accounts
Why account lockout stops brute force attacks
The critical importance of password hashing
How to implement secure password reset
Next up: Admin security, error messages, email integration, and more!
This is for: Non-HIPAA Customer-Facing Applications
About this guide: This is a comprehensive security guide specifically designed for young engineers and vibe coders building authentication systems in Replit. It explains not just what to do, but why each security feature matters.
Looking for a Replit Prompt? Soon.