Secure Treatment of Passwords

Secure authentication is essential to keeping your users safe. This means dealing with passwords safely.

Risks

Prevalence Common
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability Moderate
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact Devastating
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

If your user accounts get hacked easily, you quickly won’t have any users. Ensuring strong authentication is a mix of pushing your users into good habits, and following them yourself. Attackers are constantly trying to find ways to bypass authentication, so you need to make sure you do not permit any vulnerabilities.

Protection

Use Third-Party Authentication if Possible

The most secure code is the code that isn’t there! Consider using third-party authentication instead of building your own. Some commonly used implementations:

Integrating third-party authentication into your site will make sign-up seamless for your users, and completely remove a possible attack vector on your site. Modern authentication systems have detailed developer documentation, and SDKs for a variety of programming languages.

Ensure Password Complexity

Make sure passwords have a minimum length, and if you site deals with sensitive data, consider enforcing password complexity rules. This typically means requiring mixed-case letters, and requiring one or more numeric or symbol characters. You might also have a blacklist of “obvious” passwords, or ban passwords with too many repeating symbols.

Allow Password Resets via Email

The most secure way of implementing password resets is to allow users to send themselves reset links in email. Make sure reset links time out.

Confirm Old Password On Reset

If a user is already logged in and is resetting their password, have them confirm their previous password. This will protect your users if they leave themselves logged in to public computers.

Prevent Brute-Forcing

A common avenue of attack uses scripts that repeatedly try to login with known usernames and common passwords. This is computationally cheap, and many utilities exist to automate this attack. Large “password dumps” – leaks of passwords from historical hacks – give an attacker a good idea of what phrases people commonly use as passwords.

The first defense against this type of attack is to prevent user enumeration. If you don’t give any feedback when a brute-force attack guesses a usernames correctly, you substantially increase the number of guesses needed to hack an account.

The second defense is to “punish” multiple failed login attempts with the same username. Very secure systems will lock the account until an administrator intervenes, but this is very manually intensive. Locking the account temporarily (even for just a few second or minutes) is often enough to make brute-force attacks ineffective. Otherwise, asking the user to perform an action to prove they are not a script – like solving a CAPTCHA – will do the trick.

Store Passwords With A Strong Hash, Salted

Passwords should always be stored as salted hashes.

A hashing algorithm is a one-way transformation that obscures the original input, but can be used to test if the input is entered correctly again. By saving passwords in hashed form, even an attacker (or a malicious employee!) who gets access to your database cannot make use of the account details.

Hashing is a very positive step, but still vulnerable to an attacker able to generate a rainbow table – a list of pre-calculated hashes of common passwords. This type of lookup attack can be defeated by adding salt to the hash – an element of randomness that will make the same input create a different hash, but still usable to check the correctness of the input when entered again.

Timeout Sessions After Inactivity, and Provide a Logout Function

You can put all the security you want on the front door, but if you don’t allow users to close it when they are done, it’s all for nought. Provide a logout button, so users can leave their session when they are done interacting with your site. Moreover, if your site handles sensitive data, timeout the sessions after a period of inactivity. (Users frequently neglect to logout, after all.)

Use HTTPS for Secure Communication

Make sure you use encrypted communication when asking a user for their login details, or else their password can be stolen by a man-in-the-middle attack. Similarly, make sure all communication between your server and their browser after login is done over HTTPS, so their session cannot be hijacked.

Is your authentication system secure?

Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43 Check today. Scan your website for Password Mismanagement and other vulnerabilities with the