When running and managing a web site making sure user accounts are secure is one of the first lines of defense against hackers. This responsibility lies on both the site developer as well it’s the users. In this article we will cover what users can do to make a strong password and how developers can keep that password secure.
Creating a strong password
As a user creating a password it is important to follow some simple guild lines. Some websites might already require these guide lines be followed but they are important to use whenever creating a password.
- Make the password unique. Very often people will fall into the habit of using the same password over multiple sites. This means if your password is compromised on one site everywhere else the password was used is now vulnerable. If you’re updating password you should make sure it is significantly different from previous password.
- Add complexity to your password. Strong passwords will be eight or more characters long and contain letters, upper and lower case, numbers and punctuation.
- Use uncommon terms. A strong password will actually not contain any words at all. Using words that are separated into multiple parts by punctuation or have had a letter replaced by a random number, not 0 (zero) for o, can make something relatively easy to remember but very hard to guess.
These three guild lines will have you well on your way to creating strong passwords. Once you have created your password the next important thing to remember is to keep it secret. Sometime the easiest way to get someone’s password is to just ask for it. This can be done by social engineering, using fake forms, emails or phone calls. It is important to always confirm the source when someone is requesting your password.
Protecting Users Passwords
As a developer that are certain steps you can go through to make sure your users passwords are safe. One of the best ways is to use a Hash function, which is a mathematical operation that is easy to do one way but very hard to reverse. This allows a password to be stored and its value checked without the system knowing the actual password. It is important to use a modern well-tested hash algorithm, such as SHA256, SHA512, RipeMD, SHA3. So in the event that someone gains access to your users information it will be unusable.
Another step to make the process stronger is by adding Salt, or random data, to the password before putting it through the hash function. This adds another level of complexity making it harder to reverse. Without this if two users have the same password they would also produce the same hash value. So if someone was able to get the user data they could us a look up or rainbow table to reverse the hash function.
While there is much more information on creating and securing passwords and user information following these tips will help get you started. Remember as both users and developers need to work together to protect user information. If you think that your password has been compromised alert the company or service where it was used and update your password.
Additional Information and Resources: