Insights
Passwords: how to store them, and how NOT to
Book your free IT audit
Or get in touch with our razorblue specialists to discuss your needs further.
With another significant data breach hitting the headlines again, it’s clear that companies still aren’t taking password security seriously.
By far the best way to deal with passwords for any application is to avoid them completely. When we develop bespoke business software, we try to integrate with a third party authentication service.
The majority of applications we develop utilise Windows Active Directory, the existing secure infrastructure that many of our customers already use day-to-day to log into their machines.
For applications where Active Directory isn’t suitable, for example an externally accessible portal, well known alternatives such as Google logins and “Sign in With Facebook” offer a secure path for users to authenticate without the need to store passwords.
Although the above methods are preferable, the need to store passwords is still a legitimate requirement of many applications.
The key to storing passwords is first understanding the dangers in doing so.The obvious risk is unauthorised users gaining access to the application but there is a far more serious risk to businesses especially with the looming ‘threat’ of GDPR.
In the event of a data breach where the contents of a database containing user information is obtained by an external party, your users’ password information could be spread all over the internet. Although best practices state that you should never use the same password for multiple sites, many people still reuse passwords so any breach may leave some users exposed to unauthorised access across many sites and applications, forcing them to update all of their passwords.
To minimise the risk there are a number of steps that can be taken to protect users passwords in the event of a data breach:
Don’t store passwords in plain text
Just don’t…
A password should be known to only the user that set it, there is never any need for someone to be able to recall a user’s password. If you are speaking to a company who can tell you your password that is a very bad sign.
Don’t store passwords using reversible encryption
No matter how good you think the algorithm you have written is, if the data can be decrypted, there is always a risk that someone else can decrypt them with enough time and persistence. Again there isn’t any reason to be able to recall a user’s password – if a user forgets their password, allow them to reset it themselves via a link sent to a verified email address or using additional security checks.
Do store passwords using one way encryption
One way encryption, or hashing, takes the user’s password and converts it to a meaningless fingerprint, the content of the hash. The user’s password can’t be retrieved but when the user enters the password into the application the same algorithm can be applied on the password which can then be compared to the hash stored in the database. If the two match, the user entered the correct password into the application and access can be granted.
Side note – Two Factor Authentication
Two factor authentication, 2fa, offers an additional way to protect your users and applications from unauthorised access. The principal behind 2fa is quite simple: “something you know and something you have”. A simple example would be once the user has entered their password, this generates a random single use four digit pin and sends it to a verified device, a text to a mobile phone for instance. When the user receives the pin they can enter it and if it matches then access is granted.
By using 2fa applications you can be more confident that the login attempt has come from a valid user. The majority of applications now offer 2fa: Apple iCloud, Google and Facebook to name but a few. I highly recommend you look at enabling it.
Book your free IT audit
Or get in touch with our razorblue specialists to discuss your needs further.