Password Security

Password security is essential for safeguarding digital accounts and sensitive information from unauthorized access. It encompasses practices designed to ensure passwords are robust, securely stored, and effectively utilized to thwart breaches and cyberattacks. By employing techniques like password hashing, salting, and multi-factor authentication, both individuals and organizations can strengthen their defences against common threats and protect their data from potential vulnerabilities.

What are the best practices for storing and managing passwords securely?
How can password hashing algorithms enhance password security?
What are the benefits and drawbacks of using multi-factor authentication (MFA) for password security?
How can password policies be designed to balance security and user convenience?

What are the best practices for storing and managing passwords securely?

Some of the best practices for storing and managing passwords are:

Safeguard Your Databases and Containers

Ensuring database security goes beyond implementing password best practices; it involves protecting all the data stored within your databases and should never be overlooked. Preventing attackers from accessing your data eliminates their opportunity to decrypt it, making it crucial to follow your database vendor’s security best practices. This principle extends to all your systems, not just your databases. For example, if you’re using a popular container engine like Docker, you need to address the associated vulnerabilities. Container security is vital, and neglecting it can expose your systems to various risks. Therefore, ensure that all your systems are continuously monitored and secured according to industry best practices to protect your organization’s valuable data and maintain the integrity of your systems.

Secure Passwords with Hashing

Never store passwords in plain text; instead, always hash them and store the hash. Hashing is superior to encryption for password storage because a hash cannot be reversed. When a user tries to log in, you can generate a hash from the entered password and compare it to the stored hash from sign-up. This ensures that no one with access to the database can read or deduce the original password from the hash, including you and your colleagues. Additionally, using a hash removes the need for an encryption key, which could be stolen and used to decrypt passwords. By hashing passwords, you greatly improve the security of user authentication and protect sensitive data from potential breaches.

Utilize a Robust Hash Function

Not all hash functions are created equal; some lack cryptographic safety, and others are designed to be computed quickly—something you want to avoid when hashing passwords. Hash functions that can be computed rapidly enable attackers to brute-force numerous random strings until they uncover the passwords hidden within the hashes. To deter this, you need to ensure attackers face significant computational difficulty. While you will also need to use these slower functions when hashing passwords during signup or login, you won’t be processing millions of random strings like an attacker would. The OWASP recommends using Argon2 for hashing passwords. If Argon2 is unavailable, bcrypt is the next best option, followed by scrypt if bcrypt is also unavailable. Using these robust hash functions significantly enhances the security of your password storage.

Apply Salt to Your Passwords

Salting a password involves adding a random string to it before hashing, which ensures that the resulting hashes for common passwords appear distinct. This technique protects against attacks where attackers use tables of precomputed hashes to identify common passwords used by your users. For example, while a table might contain the hash for the password “password,” it won’t have the hash for a salted password like “&()/&IJDNSBAEpassword.” Additionally, since users often reuse passwords across different applications, salting helps prevent attackers from comparing hashes obtained from compromised sites. The salt string is stored alongside the password hash in your database, and modern hashing libraries like Argon2 or bcrypt handle salting automatically during the hashing process.

Add Pepper for Extra Password Security

Peppering passwords involves adding a fixed random string to each password before hashing, similar to salting. The key difference is that, unlike salting, the pepper string is the same for all passwords and is not stored in the database alongside the hashes. Instead, it is kept in a separate location, such as the filesystem or object storage. This separation ensures that even if an attacker gains access to your database, they still lack the pepper string necessary to correctly hash and match the passwords. This additional layer of security makes it significantly more challenging for attackers to decipher password hashes and recover the original passwords.

Revise Your Security Factors

As computer processing power increases, hash functions that once took seconds to compute can now be processed in milliseconds by more advanced systems. To address this issue, hash functions include a parameter known as the “work factor,” which increases the number of iterations applied to the hashing process, making it slower and more resistant to attacks. When adjusting work factors, balance is key: you want to make hashing challenging enough to deter attackers but not so cumbersome that it impairs user login experiences. As your infrastructure evolves and servers become more powerful, it’s important to also update your work factors to ensure that your security measures continue to benefit from the enhanced performance.

Avoid Mandatory Password Resets

Previously, it was common practice to require users to change their passwords every few weeks, aiming to limit the lifespan of any stolen passwords. However, this approach often frustrates users, leading them to create simpler and less secure passwords. If you are obligated to enforce such policies due to compliance requirements, you must adhere to them. But if there are no external mandates, it’s better not to force regular password changes. Allowing users to maintain their passwords without frequent resets generally results in stronger, more secure passwords over time.

Validate Passwords with a Dictionary and Deny Lists

Although mandating overly complex passwords can be counterproductive, it’s important to check new passwords against public dictionaries and deny lists. If a password matches entries from these sources, users should be alerted and prompted to choose a different one. This practice helps prevent the use of common or easily guessed passwords, which hackers often exploit when trying to crack hashed passwords. By comparing passwords to these lists, you make it more challenging for attackers to decipher plaintext passwords, thus enhancing overall security.

Focus on Password Length Over Complexity

In general, password length is more crucial than complexity. Longer passwords take significantly more time and resources to crack programmatically—potentially years—making them far more secure than shorter, complex ones. Users often find it easier to remember a lengthy, meaningful phrase like “IonceateahamburgerinLondon” compared to a complex string like “x5§.11#”. Therefore, rather than enforcing the use of numbers or special characters, you should allow users to create passwords of their choice, provided they are longer than five characters. This approach enhances both user experience and security by prioritizing length over complexity.

How can password hashing algorithms enhance password security?

Password hashing is a cybersecurity technique that converts a plaintext password into a unique, fixed-size string called a password hash using a hashing algorithm. This method ensures that actual passwords are concealed from attackers, even if data breaches occur because the hashing process is irreversible—meaning it is computationally impossible to reconstruct the original password from the hash. During user login, the system hashes the entered password and compares it with the stored hash; access is granted if they match. While password hashing significantly enhances the security of password storage, it should be combined with additional security measures such as encryption and multi-factor authentication to provide comprehensive protection against theft and misuse.

Irreversibility: Passwords are transformed into fixed-size hashes that cannot be reversed to reveal the original password, ensuring the actual password remains protected even if the hash is exposed.
Salting: A unique, random string (salt) is added to each password before hashing, preventing attackers from using precomputed tables (rainbow tables) to quickly crack passwords.
Peppering: A secret, fixed string (pepper) is added to the password before hashing, providing an additional layer of security by making it harder for attackers to match hashes with original passwords.
Work Factors: The algorithm includes a work factor or cost parameter that increases the number of iterations, making the hashing process more computationally intensive and slowing down brute-force attacks.
Resistance to Brute-Force Attacks: The combination of computational intensity, salting, and peppering makes it significantly more difficult for attackers to use brute-force methods to crack passwords.

What are the benefits and drawbacks of using multi-factor authentication (MFA) for password security?

Multi-factor authentication (MFA) is the process of enhancing security by requiring users to provide multiple different forms of identification. By taking the example of two-factor authentication (TFA), is a subset of multi-factor authentication (MFA), enhances security by requiring users to provide two different forms of identification, typically a combination of something they know (like an email address) and something they have (such as a mobile phone). Implemented in addition to traditional username and password verification, 2FA strengthens security by making it harder for unauthorized individuals to gain access, even if they manage to bypass the initial login credentials. This method is widely used across online banking, social media, and e-commerce sites to protect sensitive areas of web applications, such as admin panels and personal data storage. Additionally, 2FA helps businesses and public institutions improve productivity and efficiency by enabling secure remote access for employees with fewer security risks.

Multi-factor authentication (MFA) enhances security by requiring multiple forms of identification, making it significantly harder for attackers to gain access even if they have compromised one factor, like a password. It mitigates risks such as credential theft and phishing attacks, supports regulatory compliance, and improves access control. MFA also boosts user confidence by providing various authentication methods, including SMS codes, apps, biometrics, and hardware tokens, thereby offering robust protection against unauthorized access and cyber threats.

The main drawbacks are…

Extended Login Duration – Users need to complete an additional step to access an application, which increases the time required for the login process.
Integration – Two-factor authentication (2FA) often relies on third-party services or hardware, such as mobile service providers sending verification codes via text message. This reliance can create dependency issues, as the enterprise has limited control over these external services in the event of a malfunction.
Maintenance – Managing a 2FA system can become cumbersome without an effective method for handling a database of users and their various authentication methods.

How can password policies be designed to balance security and user convenience?

Password policies can be designed to balance security and user convenience by focusing on essential criteria such as length rather than complexity. Encouraging users to create longer passwords improves security without the need for complex requirements that can frustrate users. Implementing password expiration policies only when necessary, using techniques like hashing, salting, and multi-factor authentication, and providing users with clear guidelines and tools for managing their passwords can further enhance security while maintaining ease of use. Additionally, allowing users to set passwords that are easy to remember but still strong, and offering options for secure password management tools, can help strike an effective balance between protecting sensitive information and ensuring a smooth user experience.

Quiz questions and answers

1. Which of the following is a key reason for hashing passwords instead of encrypting them?

A. Hashing can be reversed if needed
B. Hashing does not require an encryption key
C. Hashing uses less computational power
D. Hashing makes passwords visible to database administrators
Answer: B. Hashing does not require an encryption key

2. What is the primary purpose of adding salt to a password before hashing it?

A. To make the hashing process faster
B. To ensure the resulting hashes for common passwords appear distinct
C. To encrypt the password
D. To store the salt string in a separate location

Answer: B. To ensure the resulting hashes for common passwords appear distinct

3. Which of the following is recommended by OWASP for hashing passwords?

A. MD5
B. SHA-256
C. Argon2
D. Base64

Answer: C. Argon2

4. Why is it generally not advisable to enforce mandatory password resets for users?

A. It makes passwords less complex
B. It increases the likelihood of users creating simpler, less secure passwords
C. It improves user experience
D. It complicates the hashing process

Answer: B. It increases the likelihood of users creating simpler, less secure password