There’s nothing more embarrassing for a web-based company than allowing their user’s personal data to be revealed on the open Internet.
Websites and services have an ethical duty to protect the private data entrusted to them, and yet, time and again, we hear of hugely popular web services like LinkedIn and Last.fm engaged in password practices that are very definitely not the best.
On top of the ethical duty, significant costs associate with lax security, including danger to business continuity, loss of reputation, and legal consequences for failure to adhere to data protection regulations.
Security breaches are going to happen. Hackers are smart, and perfect software doesn’t exist. However, you should take steps to ensure that if password data gets out, it’s useless to identity thieves and other malicious parties. Here are 5 guidelines to follow to ensure that your users passwords remain safe.
Never Store Passwords in Plain Text
This should go without saying, but user’s passwords should never hit your disks in plain text. You might think your servers are secure, but so did everyone who stored their passwords this way and lost them.
Use a Cryptographically Secure Hashing Algorithm for Stored Passwords
Ideally, no one, not even you, should know your user’s passwords. A hash function generates a fixed-size string that is stored in place of a plain text password.
This string (hash value) is unique (or unique enough) that no other password is likely to generate an identical hash. This operation is mathematically irreversible.
Salt Your Hashes
It is possible to reverse sufficiently simple hashed passwords using dictionary and brute force attacks, lookup tables, and rainbow tables. However, services cannot rely on users to choose such passwords. So, they generate a “salt” before a password is hashed.
A salt is a long, random, and, ideally, unique set of characters added to a password before hashing. Using a sufficiently good salt renders the available methods for hash reversal useless.
Encourage Users to Choose Secure Passwords
When users choose passwords, services should clearly state that simple dictionary-based passwords and short passwords are insecure and encourage users to choose something more secure.
Also, sites should not limit the length or the possible characters a password can contain. If systems properly hash and salt passwords, their length and composition don’t matter from a storage perspective.
Do Not Attempt to Create Your Own Password Hashing and Storage Functions
No matter how expert a programmer you are, you are unlikely to be a cryptography expert. All the major programming languages contain solid, verified hashing algorithms that experts created and other experts have tested and examined. Use them. Trying to produce your own is both a waste of time and a security vulnerability.
Let us know in the comments or on Twitter what you think of the recent spate of leaked passwords, and feel free to add any suggestions of your own to help improve password security.
