Monday, January 8, 2018

Web Development best practices: tips for stronger passwords


We already discussed how to secure our front-end and how to create stronger passwords for ourselves. On this post, I will approach how we, developers, can make integrate those concepts in our applications to reduce the risks of our users' accounts being hacked due to weak passwords.

Tip 1 - Demand Stronger passwords

It is time applications start demanding stronger passwords from their users and inform them on how secure is their password (more on that later). So, when accepting user-entered passwords, if you don't mind, I will repeat what was written before on this blog removing what's not applicable:
  • Use passwords with at least 8 characters;
  • At least one number, 1 capital letter, 1 lowercase letter, 1 non-alpha character;
  • Use complex passwords that include numbers, symbols, and punctuation;
  • Use a variety of passwords for different accounts or roles;
  • Do not allow dictionary words as passwords, e.g. apple;
  • Do not allow sequences of characters, e.g. 3333, abcdabcd;
  • Do not allow personal information in passwords, e.g. your birthdate;
  • Do not allow setting the password as the associated service, e.g. Gm@il or Dropbox123;
  • Combinations of those above;

Tip 2 - Have a Password and Confirm Password box

This is somehow trival. We don't want users entering a password they don't remember. So, ideally, we should have a Password / Confirm password section when creating an account.

Tip 3 - Provide feedback on how strong the entered password is

Once all information entered, please provide a feedback to the user regarding how safe is her password. For example, KeePass provides us this input:
Source: KeePass

And Twitter:
Source: twitter.com

Tip 4 - Recycle passwords

Yes, ideally we want users to change passwords every X days. I don't see that feature on most of the sites but it would be good to start having that featured enabled by default on websites so that rists on data leaks is automatically reduced. Outlook.com has that nice feature:

Tip 5 - Enable MFA

Multi-factor authentication greatly helps securing accounts. We already discussed that on a previous post. Enabling something for your app may not be complicated and assuming you don't want / can't use SMS, you could use a secondary email address for example. For example, this is Gmail's MFA:
Source: gmail.com

Tip 6 - Avoid Leaking Information

This should be common sense already but unfortunately it isn't. Web applications are still leaking a lot of information. For example, password hints usually allow:
How strong is that hint?
In case you have to have this feature, prefer to present options to the user in a dropdown as opposed to allowing him intering his own. Users are not good at creativity and usually provide very easily guessable password hints as:

Other approaches should suffice in order to not have a password hint:
  • allow different recovery options, such as reset tokens sent to secondary e-mails;
  • avoid password hint and just provide a safe forgot password service;

Tip 7 - Validate if password has been exposed

Troy Hunt's Have I been pwned? service provides a very interesting functionality: a database with X records that you can check against to validate if a used password.

Tip 8 - If possible, generate a strong password for your users

I know, this is controversial but how else can we go to make our users create strong passwords? Will they have creativity to respect all those constraints? Will they even be able to remember those passwords?

With all that said, why not have a password generation built into our site to allow the creation of strong passwords for them?

Tip 9 - Test how secure is a password is

We can always use tools to inform us how secure our password ares. When online, we have how secure is my password. Or even better, why not integrate our application with such a service?

Conclusion

On this post I presented multiple tips to use withing your application or recommend a product or service you like to add. Bring these discussions to your team. And why not do like GitHub and integrate security breaches into your application for the benefit of your users.

See Also

Security and development: how much is being done?
Security is only as strong as the weakest link
The Laws of security
Privacy and Ethics
Securing our front-end
How to create stronger passwords
Integrated security vulnerability alerts on GitHub - Why it matters

For more security posts on this blog, please click here.

References

Troy Hunt - Password managers don't have to be perfect, they just have to be better than not having one