It’s Time to Get Serious About Strong Password Policies
Account breaches are now a common occurrence that any webmaster can relate to. One of the most devastating being a leaked 87-gigabyte database, consisting of nearly 22 million passwords, towards the end of January of this year. It is no surprise that internet criminals went to work ransacking accounts for anything worth a penny.
The main issue is not poor security practices by website owners, but rather the users themselves. When a website’s database gets hacked, usernames and passwords found within are exposed. Users who use the same email, username and password combinations for all registrations are the ones who will be exploited.
Setting a Strong Password Policy
The best way to eliminate weak user passwords is to prevent them from being used in the first place. This is why you must make sure that there is a minimum security requirement for those signing up for your website.
A strong password policy should at least include:
• A minimum character amount (like 12 or more)
• A minimum of each lower-case letters, upper-case letters, numbers and symbols for increased complexity
• Forbid common words, names or phrases from being used.
• For existing users, prevent previously used passwords from being reapplied.
Not only would setting the bar high for password strength encourage users to create unique passwords on the spot, but it would also make it resilient against cracking software. Software like John the Ripper may be used with dictionaries to crack weak user passwords.
Educating Users on Building Stronger Passwords
Memorisation techniques are useful since users that create long, gibberish passwords are likely to save it on a notepad on their desk or other unsafe locations. This is why you should encourage your userbase to create passwords that are memorable.
You may include a small guide showing users how to create memorable passwords while appearing like gibberish to the naked eye. Instead of using plain text names, words or dates, users should use letters and numbers to represent a code that they will only know.
There are free online tools that help generate a memorable password. For example, XKPasswd includes a comic strip that tells a story to help the user memorise each section of the strong password.
Setting Periodic Mandatory Password Changes
As long as you have a strong password policy, it is a good idea to require your users to change their passwords. You may choose to have these changes scheduled a few times a year or triggered by suspicious account activity events.
The point of mandatory password changes is not necessarily about encouraging stronger passwords but rather that users mix up their passwords with their frequently used ones. You must assume that most of your users are copy & pasting their passwords across multiple websites. In the event other sites are breached, your users will at least have different passwords by then.
Setting Multi-Factor Authentication
The strength of the password is still not enough for more diligent account crackers. Even the lowest hanging fruit in your domain will be bulletproof if you implement a multi-step authentication process.
Fortunately, two-factor authentication (2FA) and three-factor authentication (3FA) are extremely common in all types of websites or internal networks. The idea is to present multiple forms of proof that you are undeniably the person who owns the account.
The authentication process may be a mix of social media account linking, email confirmation links, text or voice message codes. Chances are most of your users will have a presence within all three types of services so few complaints should arise.
On the other hand, having a stricter authentication process may also require more customer service attention as account lockouts may occur. Real-life mishaps can affect the process, like a changed phone number or locked social media account. If you are serious about account security, this slight hindrance would be worth it.
Make Password Recovery Straightforward Yet Stringent
Mandatory password changes and super strict password policies will only make lost passwords inevitable. This is why you need to have a support system, both automated and manual, to help users recover passwords that are not memorable.
Of course, your recovery system shouldn’t give up passwords easily. During a password recovery, users should also have to go through a multi-step authentication process, including an email and phone verification.
Prepare For Database Breaches
Using outdated software is the cause of most data leaks. More specifically, using outdated operating systems, databases and other back-end software is what hackers love to prey on. Just take a look at Exploit DB and see how many exploits there are for old versions of MySQL, PHP or Linux.
Make sure that the fundamental components of your website are always up to date. If you are hosting your website on Linux, this may easily be done with a few simple commands in the package manager.
Also, you should not be storing user credentials in plain text. Even in the event a hacker releases a database, they will also have the tedious task of unencrypting password hashes. This is why any responsible admin will “salt” password hashes.
Salting passwords can be done with a number of utilities and programming libraries. Some popular libraries include SecureRandom in Ruby and Java, os.urandom in Python, and CryptGenRandom for C++ developers.
As there are so many websites on the internet using outdated back-end software, we should only expect more database leaks in the future. Also considering that many users are lazy about managing their passwords, you must enforce stronger passwords and better password storing habits for the sake of your company’s security. Using the tips above, you will notice a significant drop in hijacked user accounts, making your job even easier.