This piece is mostly developer oriented. Want to understand the subject in-depth?
Whenever you require a password from the user, think of the following:
- allow ANY LENGTH of password
- allow ANY character to be used
- BUT, take care of your users, suggest a good characters combination or minimum length
- if password is easy to guess, suggest a new one
- store the password in plaintext in your database – just don’t!
- ever send a password in plaintext to anyone, even the user – just say no to the idea!
- limit the length of the password – why??? sending bytes is cheap
- require the “special structure” of the password – length is more important. hey ladies!
- require a password change too often
- don’t use third party “your password is STRONG”-meters, if you do not know the author and the logic it uses
- prevent injection by properly sanitizing input from the user, use stored procedures, parametric DB statements etc.
- always send password using encrypted channels (SSL etc.)
- store only password hash, which is always of the same length
- salt the password with two bits of information: one static secret and one depending on the user
- when sending the “reset password” email, expire the link in a short time and/or after being used
Special password structure
If you require a “at least one number, one uppercase and not less than 12 and not more than 20 chars” but “without chars such as “-+?*'” etc… two things are going to happen:
- Users will make up passwords, they are not familiar with. They’ll most probably write them on a post-it note and attach it somewhere on the computer.
- Why limit the password length? Database password field length is not a problem if you store password hashes. Users use password managers nowadays, so the long passwords are not an issue. And, length is probably the MOST IMPORTANT factor when trying to brute-force a password. Defies the purpose if you limit it, doesn’t in?
Salting the password
Again, what is a hash?
TL;DR Transform any string into a fixed-length string value, which is impossible to reverse and find out the original string from. But also, not two different strings can produce the same hash. Theoretically. And some hash functions are better than others.
Let’s say your preferred password is “password“. And the sha1 hash it produces is “5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8“.
Why is this not that ok? Because nowadays, when someone hacks a site and steals the user database, it can search for duplicate hashes. Easy to spot simple and most common passwords.
BUT! Add something static to each password before hashing it.
Let’s say this static string is “this5it3secre4“. Add it to each password, this way your password string becomes “this5it3secre4password“. This produces a hash of “036b729acd13444282ad8fec949a1ee590f9563e“.
Since “password” is quite common password people use, it would be easy to spot it’s hash, but now not so anymore. This way you make rainbow tables a bit more obsolete.
BUT! If two users use the same “password”, they would also produce the same hash. That’s why you add something specific for each user to its password salt .
Let’s say his ID from the database or username. But be careful! You need something that does not change through time and stays the same even if you migrate the data etc.
This way the user number 132 would have a hash for “000132this5it3secre4password” and the user 3384 a hash for “003384this5it3secre4password“.
Compare the two:
Advice for the users?
They are not ranked. All of them are equally important!
- Use a password manager. Free or paid, there are plenty to choose from. My favorites: 1Password, KeePass. Read more here.
- Use random password generator. Always. Banging on the keyboard is not that random. Human brain is far from random.
- Use maximum lengths you can afford. Don’t worry, password manager remembers all your passwords, you need to remember only one password in the end!
- Avoid sites with stupid password rules.
- Have a different password for each site!
Want to get scared?
- Wired: Anatomy of a hack: even your ‘complicated’ password is easy to crack
- ArsTechnica: 25-GPU cluster cracks every standard Windows password in <6 hours
- MailOnline: Think you have a strong password? Hackers crack 16-character passwords in less than an HOUR
- ArsTechnica: It’s official: Password strength meters aren’t security theater
- ArsTechnica: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
- ArsTechnica: Why passwords have never been weaker—and crackers have never been stronger