Password Security ImageA door made out of the strongest metal still wouldn’t offer any protection if it was secured with a twist-tie. Likewise, even the most sophisticated online security system can be bypassed in seconds if hackers acquire a user’s password. They’re easy to get when a website is storing passwords in plain text, but that’s a different story.

When people have weak passwords, there’s very little keeping their sensitive information safe. However, when it comes to passwords, many users still choose something that’s easy to remember over something that would be safer. That means hackers and thieves have much less work to do when they try to crack open users’ accounts, resulting in data breaches that put those users and others at risk. Although IT professionals continually stress the importance of choosing a password that is difficult to crack, many users don’t heed the advice.

On the other hand, the most secure passwords have the problem of being extremely difficult for people to remember easily. That’s why so many people use formulas for creating their passwords that make them easier to figure out for hackers. Some people believe that substituting numbers for letters in common words is enough to make a password difficult to guess. Yet substituting a zero for the “o” in “hello” is obvious enough to hackers that it’s practically the same as spelling the word the correct way.

Just this week, in fact, the man that told people to replace numbers for letters said this advice was wrong.

Personally, I use a password manager to handle all my passwords. I use 1Password, but LastPass and KeePass are also good tools. All I need to remember is a strong master password, and 1Password does the rest of the work in keeping my super strong passwords safe.

Having strong passwords for each of the important websites and Internet portals you use regularly is essential today. Use the following checklist when creating a password to help you avoid some of the most common mistakes that lead to weak passwords. This guide also tells you what steps you need to take if you believe your password may have been compromised to protect yourself and your data. A door is only as strong as the lock on it, and your Internet security is only as strong as the password you use to access it.

Presented by MNS Group

In this day and age of websites being hacked, personal information being stolen, and companies large and small being targeted by hackers around the world, you would think most developers would go through their systems to make sure they are following best practices when it comes to security.

I understand “security” is big and scary and has many layers. Let’s start with something easy: passwords.

Facepalm for bad password securityLast week, I signed up for a service. I’m not going to put them on blast, but after I signed up, I received an email with my new account information, including my password.

My heart skipped a beat.

That’s very bad.

If you get an email from a website, large or small, and it contains your password, be very wary. In the vast majority of situations, they are not storing that password in a secure way.

When I pressed them, they said it wasn’t a huge deal because they weren’t storing credit card details in there.

The reality is this: it doesn’t matter what you are or aren’t storing in your database or application. If you have weak security in one place, you have weak security everywhere. I would hazard a guess that the password strength and security for the other servers on that network aren’t great either.

So why do companies launch web applications with terrible password security? Some of it may be lack of knowledge, but that excuse is harder and harder to believe in today’s world.

For some companies, that’s the way its always been done. For others, they store passwords in plain text to make life easier for customers who have lost theirs. They think it’s easier to give them their password as opposed to reset it.

Finally, there’s cost. If have to retrofit your web application to store passwords securely, there is time and effort and resources needed to do that. Company executives may not see the return on investment, which is unfortunate.

One of the most popular posts on this blog was on I did in 2008 about passwords. Specifically, you should never store a user’s password in your database as plain text. This means not saving in  your database or text file exactly what the user typed in.

When developers store passwords this way, and an unauthorized person gains access, that attacker needs to do no work to get all user data. This comes from MediaTemple, who was hacked in 2009 and it was discovered they were storing passwords in plain text.

“Clear Text” is a method of storing passwords in a database so that they are human readable. This preference was made to provide customers a convenient way of managing access to their services, e.g. connecting a PHP app to MySQL. The “clear text” method can be less-secure than methods involving “encryption”, where passwords are not human-readable. This is less convenient for customers, but adds a layer of security. Properly secured databases can store passwords using either method, with the information kept private. However, if a database gets compromised, the encryption method is the only way to keep the information secure.

If you want to securely store your passwords, use a decent hashing algorithm, use a salt, or use a strong password library such as Bcrypt. Don’t store them as plain text. It isn’t hard, and it will help secure the information your users have trusted you with.

I think it’s fair for users to think that sites they give their personal information to will keep that information secure.

It seems like every week there’s a report of another security intrusion, in higher ed or not, with user details being stolen. In many of these cases, user’s passwords were not stored correctly, and in some cases, they were being stored in plaintext, which means there was no encryption or hashing being used.

Before we go any further, if you are storing passwords for your web app in plaintext, shut it off immediately and fix it. Seriously.

Even LinkedIn, a network built by very smart people, was only using SHA1 for their passwords, and no salt. All it takes is a rainbow table, a powerful computer and passwords are easily cracked.

From Poul-Henning Kamp, writing at the Association for Computing Machinery:

This is the first place LinkedIn failed utterly: Calculating the SHA1 function is very, very fast. A regular computer can crunch from 10 million to 100 million of them per second using the GPU, making it a trivial task to check even very large lists of potential passwords.

I’ve written in the past about some ways to use salts to protect passwords, but even some of those recommendations are now out of date.

Recently, for anything I’ve written that needs a login, I’ve used Bcrypt. There are ports for just about any type of programming language out there. If you’re writing in PHP, I’d recommend PHPass, a portable public domain password hashing framework. Takes out a bunch of work and is computationally slow, which is what you want when hashing a password.

If you’re looking for a refresher on password security, or you’re new to building apps and want a quick primer on how to do it right, you’ll enjoy this video from Les Hazelwood, CTO of Stormpath. In it, he walks you through various levels of password security and how to store them, from just plain wrong to crazy and complicated. If you’ve got a few minutes, it’s really worth checking out.