Menu

8 Basic Rules for Handling Passwords Securely

In Information Security Damilare

Authentication, Authorization, Authentication… some say passwords have failed. They may be right, but passwords are still here. Software developers should expect users to select strong passwords and likewise, software users expect their data (including passwords) to be stored securely by software vendors. There never seems to be a wrong time to talk about this considering the almost constant trend of data breaches.

Here are 8 basic rules for handing passwords securely:

  1. Provide Brute Force Protection at Authentication Points: This defeats attackers who try to repeatedly guess and try passwords using automation.
  2. Hash All Passwords in Storage: Passwords must be stored in such a way that if the system is breached, their value cannot be discovered. PBKDF2 is an algorithm that is the default recommended for securely storing passwords; it requires as input a hashing algorithm, a number of iterations, a salt and a password. NIST’s recommendations are to use PBKDF2 with 10,000 iteration and at least a 32 bit salt produced by a secure random number generator
  3. Enforce or Provide Mechanisms for Strong Passwords Selection: ‘Strong’ is often based on a company’s policies but at least you can (or help admins to) prevent your users from selecting ‘password123’. NIST recommends a minimum password length of 8 characters for regular user accounts and a minimum of 14 characters for admin accounts.
  4. Validate Passwords Against a Dictionary Before Accepting: Passwords should not be allowed if they are commonly found in dictionaries used by hackers or based on such with minor modifications commonly used. Cracking tools will attempt multiple iterations on common password strings: password, Password, Password0, Passw0rd.
  5. On Failed Login, Do Not Disclose Username or Password Failure: Error messages should be generic to avoid user enumeration.
  6. Out of Band Authentication for Password Reset: Require some sort of second factor, such as an out of band SMS message to a phone, before sending a password change request email.
  7. Re-authenticate users prior to password changes/ updates: Before allowing password updates, the application should re-authenticate the user.
  8. Avoid Hard coded secrets: Apps must not have any hardcoded secrets (passwords, credentials, private keys, hidden commands) in the compiled code or source code.

Much thanks and a shout out to my colleague and friend, Antonio Martin, for helping to put the crux of this list together.

Post Navigation

Windows Driver Security and Fuzzing Resources

Free Open Source Security Assessments Placed Online

Related Posts:

Complex Passwords Are Probably Useless

Comparing Single Sign-on Protocols: OAuth vs OpenID vs SAML vs WS-Federation

Leave a reply:

Your email address will not be published.

Time limit exceeded. Please complete the captcha once again.

Sliding Sidebar

About Me

About Me

Hi there, Thanks for stopping by! I'm Damilare, a Security Architect at Intel Corporation, an author, and an un-hibernating entrepreneur. I started this blog as my little contribution to the information sharefest that is the internet. I'm a Jesus follower who enjoys nature, and exercise. Here’s to sharing and connecting!

Tweets