Monday, January 8, 2018

Web Development best practices: 9 tips for stronger passwords

Stronger passwords are a good practice to make our own systems secure. Let's see 9 tips to keep safe.
We already discussed how to secure our front-end and how to create stronger passwords for ourselves. On this post, I will approach how we, developers, can make integrate those concepts in our applications to reduce the risks of our users' accounts being hacked due to weak passwords.

Tip 1 - Expect stronger passwords

It is time applications start demanding stronger passwords from their users and inform them on how secure is their password (more on that later). So, when accepting user-entered passwords, if you don't mind, I will repeat what was written before on this blog removing what's not applicable:
  • Use passwords with at least 8 characters;
  • At least one number, 1 capital letter, 1 lowercase letter, 1 non-alpha character;
  • Use complex passwords that include numbers, symbols, and punctuation;
  • Use a variety of passwords for different accounts or roles;
  • Do not allow dictionary words as passwords, e.g. apple;
  • Do not allow sequences of characters, e.g. 3333, abcdabcd;
  • Do not allow personal information in passwords, e.g. your birthdate;
  • Do not allow setting the password as the associated service, e.g. Gm@il or Dropbox123;
  • Combinations of those above;

Tip 2 - Have a password and confirm password box

This is somehow trival. We don't want users entering a password they don't remember. So, ideally, we should have a Password / Confirm password section when creating an account.

Tip 3 - Provide feedback on how strong the entered password is

Once all information entered, please provide a feedback to the user regarding how safe is her password. For example, KeePass provides us this input:
Source: KeePass

And Twitter:

Tip 4 - Recycle passwords

Yes, ideally we want users to change passwords every X days. I don't see that feature on most of the sites but it would be good to start having that featured enabled by default on websites so that rists on data leaks is automatically reduced. has that nice feature:

Tip 5 - Enable MFA

Multi-factor authentication greatly helps securing accounts. We already discussed that on a previous post. Enabling something for your app may not be complicated and assuming you don't want / can't use SMS, you could use a secondary email address for example. For example, this is Gmail's MFA:

Tip 6 - Avoid Leaking Information

This should be common sense already but unfortunately it isn't. Web applications are still leaking a lot of information. For example, password hints usually allow:
How strong is that hint?
In case you have to have this feature, prefer to present options to the user in a dropdown as opposed to allowing him intering his own. Users are not good at creativity and usually provide very easily guessable password hints as:

Other approaches should suffice in order to not have a password hint:
  • allow different recovery options, such as reset tokens sent to secondary e-mails;
  • avoid password hint and just provide a safe forgot password service;

Tip 7 - Validate if password has been exposed

Troy Hunt's Have I been pwned? service provides a very interesting functionality: a database with X records that you can check against to validate if a used password.

Tip 8 - If possible, generate a strong password for your users

I know, this is controversial but how else can we go to make our users create strong passwords? Will they have creativity to respect all those constraints? Will they even be able to remember those passwords? Why not have a password generation built into our site to allow the creation of strong passwords for them?

Tip 9 - Test how secure is a password is

We can always use tools to inform us how secure our password ares. When online, we have how secure is my password. Or even better, why not integrate our application with such a service?


About the Author

Bruno Hildenbrand      
Principal Architect, HildenCo Solutions.