Authentication Security Agent Skill
Authentication security — bcrypt/argon2 hashing, brute force protection, secure password resets.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Authentication security — bcrypt/argon2 hashing, brute force protection, secure password resets.
homepage: https://yepapi.com/skills/auth-security
metadata:
tags: [security, authentication, passwords, hashing]
---
# Authentication Security
## Rules
- Hash passwords with bcrypt (cost factor 12+) or argon2id — never store plaintext or use SHA/MD5
- Rate limit login endpoints: max 5 attempts per minute per IP, 10 per account per hour
- Implement exponential lockout: 1s, 2s, 4s, 8s... after failed attempts, hard lock at 10 failures for 15 min
- Password reset tokens: cryptographically random, single-use, expire in 1 hour max
- Return generic errors: "Invalid email or password" — never reveal which field is wrong
- Enforce minimum password length of 8 characters, check against breached password lists (HaveIBeenPwned API)
\`\`\`ts
import bcrypt from "bcrypt";
// Hash on signup
const hash = await bcrypt.hash(password, 12);
// Verify on login
const valid = await bcrypt.compare(password, storedHash);
if (!valid) {
await incrementFailedAttempts(userId);
return res.status(401).json({ error: "Invalid email or password" });
}
await resetFailedAttempts(userId);
\`\`\`
\`\`\`ts
// Brute force lockout check
async function checkLockout(userId: string) {
const attempts = await getFailedAttempts(userId);
if (attempts.count >= 10) {
const lockoutEnd = attempts.lastAttempt + 15 * 60 * 1000;
if (Date.now() < lockoutEnd) throw new Error("Account temporarily locked");
}
}
\`\`\`
## Avoid
- Storing passwords in plaintext, base64, or reversible encryption
- SHA-256 for passwords — it's fast, which means brute-forceable
- Revealing whether an email exists during login or password reset
- Password reset links that never expire or can be reused
- Allowing unlimited login attempts from a single IPInstall
Why Use the Authentication Security Skill?
Without this skill, your AI guesses at authentication security patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the Authentication Security skill installed. Your AI knows the context and writes code that fits.
"Implement secure login with bcrypt password hashing and brute force protection"
"Build a password reset flow with cryptographic tokens and expiration"
"Add rate limiting and exponential lockout to my authentication endpoints"
Authentication Security skill — FAQ
It provides rules for password hashing with bcrypt/argon2, brute force protection with exponential lockout, and secure password reset flows. Your AI writes authentication code that resists common attacks by default.
Run `npx skills add YepAPI/skills --skill auth-security` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Both are excellent choices. bcrypt with a cost factor of 12+ is the industry standard and widely supported. argon2id is newer and offers better resistance to GPU attacks. The skill covers both approaches.