Usernames and passwords are the standard factor for accessing user accounts on the web, so it’s likely that if your users have accounts, that’s the way you have them sign in. Keeping up with best practices for handling passwords can be hard, but is important for your user’s safety. Here’s a quick list of the things you should be doing to secure your passwords today.
When a password gets sent from the browser to your server, a clever woman-in-the-middle will be able to intercept the message and look at it. Since this would let the attacker see the plaintext password, it’s a huge vulnerability. The easiest and most common way to defend against it is with a secure handshake over the Secure Socket Layer (SSL). This means buying a certificate from a trusted authority and making sure that password details are being exchanged securely. There are a few attacks on SSL to be wary of (like the BEAST attack), but for the most part this will keep your messages safe in transit.
Part of what makes a password secure is that it is paired with a unique username so that both pieces of information are needed to login. An attacker has to pick a specific target and know their username. The username is public in many cases, but a unique username helps mitigate the problem of password reuse and prevents attackers from attacking a large swath of users at once. It is increasingly the trend to use an email instead of a username, but this has two negative side effects. First, each account is more vulnerable to attacks that originate on another site. Even if your site has perfect security, if another site loses a user’s email and password combo, then they may have immediate access to the user on your site. Second, your system is weaker because any email list can be used as a likely user list against which to try common passwords.
The safety of a password is based on how hard to guess it is, which is usually talked about in terms of bits of entropy. Since each character can usually be one of 94 possible characters, numbers, or symbols, each additional character makes a password 94x harder to crack. The difference, then, between a 6-character password and a 10-character password is ~26 bits of entropy (or 78074896 times the number of guesses), and makes the difference between cracking a password in a minute or a century.
Even though there are 94 possible characters, most passwords are mostly just the 26 letters and use words from the dictionary. This makes them much easier to crack. Sophisticated attackers have made tools that cleverly exploit this fact about passwords. Adding a number or special character at the end barely helps against dictionary attacks, and even replacing letters with numbers (3 for e or 4 for a) won’t significantly slow the attack down. Passwords need to be truly random in order to provide strong security.
Hard password reset
One of the problems of password aggregators is that they put all of your accounts behind a single password, which makes them all less secure. This is obvious with things like Facebook Connect, but allowing password resets via email without any challenge is essentially the same thing. This is becoming increasingly common practice since many sites see more than 5% of their users forget and reset their passwords every month. If an attacker gets access to a user’s email, which is more likely than you might think, they can immediately get into every site that uses email as a username and makes resets easy. Using security questions before resetting a password is essential to keeping an account safe.
Salting and Hashing
If someone gets access to the credentials on your server, they should find useless strings of salted and well hashed passwords that cannot be turned converted back to plaintext passwords. This keeps accounts safe if your server is compromised, and since the likes of LinkedIn, Yahoo, and even the IEEE have fallen victim to attacks like this, it’s probably safe to say that you should be prepared for them.
This is one of the trickiest security holes from an engineering perspective because it has almost nothing to do with your technology. Even the most secure systems in the world are prone to human error. As the attack on Mat Honan demonstrated, though, the results of these attacks can be devastating. Only your users should be able to change their passwords. If anyone other than your users must have the power to change user passwords, they need to be absolutely certain that they are talking to the user in question before they make a change. Address and last four digits of a credit card are not enough.
Phishing is another problem that can’t be solved with just technology, but needs to be constantly watched for and guarded against. Whenever you communicate with a user, you need to make it clear that they should only use their credentials on your siteweb. Then keep an eye out for sites that mimic yours or emails that target your users. Vigilance is the name of the game in preventing phishing attacks.
Regular Password Resets
No matter how good a password is, it can eventually be cracked by a persistent attacker. Hitting a moving target is much harder, so it’s important to make your users change their password every few months. The more regular the change, the safer the account, but 3 months seems to be a solid standard. Getting a user into the habit of keeping their password fresh will make them a very hard target for attackers.
The final frontier of password security is two-factor authentication that uses something besides the user’s memory, like a physical device, to identify the user. This makes the account nearly impossible for an attacker to breach. These devices can be expensive, but when security is really important, one factor isn’t enough.