Password thefts have been popping up in the news lately. In recent months, a number of high profile database breaches have resulted in passwords being stolen from sites like LinkedIn, last.fm and Yahoo! Voices. A couple of things become obvious with the thefts.
In some cases, the sites were storing the passwords in unencrypted plain text format, without any obfuscation of the passwords at all. This means the hackers have everything they need to get into the account. In other cases, the passwords were encrypted, but only in the most basic fashion. Without a “salt” to add some extra data into the encryption, anyone using the same encryption method can quickly determine common passwords and eventually crack the remaining ones.
For developers, here are some quick tips to protect users and their passwords better:
- In order to safeguard your users’ passwords, we highly recommend using a password hashing library. One such library that we’ve used in our projects is phpass. This is a very strong library and is used in many popular frameworks, including Drupal and WordPress. We do not recommend attempting to go it alone.
- Salt your passwords. Salting a password is the process of appending an additional string to a user’s password, thus strengthening the password from brute force hacking. The salt can be as simple or as complex as you’d like; we’d recommend a fairly long and randomized string to be a salt.
- Design your platform to lock an account after a certain number of failed attempts, around 3-5, so that a brute force attack on a particular account is not possible.
- Introduce a slight delay between password attempts. Even a limitation of one second per attempt can make a huge difference. Users won’t encounter it because of the length of time it takes to re-enter a password and click “submit,” but a computer free of those limitations would be slowed down immensely.
Users can take steps to make themselves more secure as well:
- Using the same password for every site is asking for trouble. Having unique passwords assures if a site is breached, other important data isn’t at risk. At the very least, have unique password for high-risk or high-value items like banks, credit cards and other financial accounts. Database breaches are always announced after the fact, and you never know how long that data has been out there when it’s announced.
- Use strong passwords. Those with easily guessable passwords become high value targets. More than just avoiding passwords in the “most common passwords” list that float around, you should have passwords that include a mix of letters, numbers and even symbols (when allowed). Also use upper and lower case. The reason why this is so powerful is that instead of 26 choices (lowercase letters), you add 26 uppercase letters, 10 numbers, etc. And then it’s multiplied by that same count for each additional character, meaning longer passwords are harder to guess, although no password is infallible given enough time and chances.
- If you’re not creative or would rather generate gibberish, you can use a password generator. You can also see the relative quality of your password to get a better feel for what you’re crafting.
- You can use a password manager to keep track of your passwords, and keep it on your machine. Tools like LastPass help you manage your hard-to-remember passwords while keeping them safe on your machine.
Questions or comments? Share them below, or tweet us @Pixafy!
