Join Kevin Skoglund for an in-depth discussion in this video Strong passwords, part of Programming Foundations: Web Security.
- Developers must be smart about passwords in order to protect against credential attacks. The following advice is good for everyone, but it's especially important when passwords are used to administer servers. You should use long passwords with at least 12 characters. 12 is a minimum. 15 characters or more would be even better. It's good to use character variety, upper case, lower case, numbers, and symbols, but variety is not as important as the length. A common mistake is to think that a short, complex password is more secure than a long simple one. Any eight-character password, even one with character variety can be discovered by trial and error in less than three hours. A 12-character password using all lowercase letters would take two weeks, but if you use both length and variety together, then a 12-character password would take 9000 years. You should also avoid patterns and dictionary words. We already know that hackers try those first. It is especially important that you never reuse passwords. This advice matches the principle of least privilege. Each password can be seen as a key which grants access privileges, and which should only unlock what it needs to to get the job done. Think of it this way. Every time you reuse a password, you're giving that password more privileges. Unique passwords also prevent the increasing threat posed by credential stuffing. Now this password advice may seem difficult. On the one hand, choose long, complex passwords, but then don't reuse them. How's any person supposed to remember them? Well, you aren't. Get yourself a good password manager. A password manager is software which will store passwords in an encrypted file. You only need to remember one master password which unlocks the rest of them. Most include nice features, like strong-password generators, form autofill, and a place to store other notes securely. Popular password managers are LastPass, 1Password, Dashlane, and KeePass. Some are free and some are paid, but all of them are worthwhile. SSH keys are good alternative to passwords. They act like a password that has over 1000 characters and are sent automatically. You can use them to log into your servers or to connect to GitHub. One of the best ways to make credentials more secure is to use multi-factor authentication whenever possible. It's also sometimes called two-factor authentication. In addition to the password, a user must authenticate with another factor. Usually the second factor is an object in your possession like a phone or a piece of hardware. A hardware authentication device, such as a YubiKey or software that generates authentication codes, such as popular ones made by Google, Microsoft and LastPass are excellent choices. Many websites implement two-factor authentication by sending an SMS text message. Text message codes are good, but they're weaker than the other choices because they can be intercepted or viewed on a stolen phone. The website twofactorauth.org keeps a list of every website which allows multifactor authentication. Most major websites and services that developers use offer multifactor authentication now. In addition to protecting your servers and the services that you use, protect your users by always hashing their passwords with an encryption algorithm before storing them. Bcrypt, also known as Blowfish, is recommended. It has the extra advantage of being slow, which limits the speed that attempts can be made. You can also encourage users to pick strong passwords using the requirements that we've already discussed. Password strength meters can be helpful. Because we know that length is a great way to make passwords more secure, you should never limit the length of user passwords. Hashing algorithms do not care if a password's long. You can use login throttling to slow down the rate of attempts to your login page. For example, after 10 failed attempts, you can make a user wait for five minutes before they can try again. 10 failed attempts for a five minute penalty is not very burdensome on users, but it would cripple a brute force attack. If you stick to these password recommendations and also don't do silly things like send passwords over email, then it would be difficult for an attacker to find the key and take the easy way in through the front door.
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting