Laravel Authentication Security Checklist

Use Laravel's Password::min(8) validation rule. Consider requiring 12+ characters for sensitive applications. Longer passwords are significantly harder to crack than short complex passwords.

Laravel uses bcrypt by default, which is secure. For higher security, switch to Argon2id in config/hashing.php. Never use MD5, SHA-1, or SHA-256 for password hashing — they are too fast to resist brute-force.

Use Laravel's Password::uncompromised() validation rule to check passwords against the Have I Been Pwned database. This prevents users from choosing passwords that are already in known breach databases.

This includes log files, email notifications, and admin panels. Ensure password fields are never logged, and use the hidden cast or $hidden property on the User model.

Use Laravel's built-in login throttling or implement a lockout mechanism that temporarily blocks login attempts after 5 consecutive failures. This prevents brute-force attacks.

In config/session.php, set secure to true (HTTPS only), http_only to true (no JavaScript access), and same_site to lax or strict. This prevents session theft via XSS and CSRF.

Call session()->regenerate() after successful authentication to prevent session fixation attacks. Laravel's built-in authentication does this automatically, but verify it if you have custom login logic.

Configure lifetime in config/session.php based on your application's sensitivity. Financial applications should use shorter lifetimes (15-30 minutes). Set expire_on_close to true for sensitive applications.

The file session driver works for development but can have issues with load balancers and does not support easy session management. Use database or Redis for production deployments.

When a user changes their password, invalidate all other active sessions. Laravel provides Auth::logoutOtherDevices($password) for this purpose. This ensures compromised sessions are terminated.

Use Laravel Fortify or Jetstream's built-in 2FA support. TOTP-based 2FA (Google Authenticator, Authy) adds a second layer that protects accounts even if passwords are compromised.

Generate one-time recovery codes that users can store safely for account recovery if they lose access to their 2FA device. Laravel Fortify handles this automatically.

Apply throttle middleware to password reset and email verification endpoints. Without rate limiting, these endpoints can be used for email bombing and user enumeration.

Return "Invalid credentials" instead of "User not found" or "Incorrect password". Specific messages allow attackers to enumerate valid email addresses and usernames.

Log successful logins, failed attempts, password changes, and 2FA events. Include IP addresses and user agents. This data is essential for detecting unauthorized access and forensic analysis.