Passwords have become a fact of online life: the chances are you’ve entered several and perhaps created (or even forgotten) one or more already today. With such widespread use, it can be easy to view them as a minor annoyance, and overlook the importance of password security. Here we list five best practice tips for both web services and their users:
1. Strength. A secure web service should encourage users to create a ‘strong’ password. A password’s strength corresponds to the predicted length of time that automated attempts would take to guess it by trying all possible combinations of characters and/or words in the dictionary, often known as a ‘brute force’ or ‘dictionary’ attack. Importantly, just small changes in length (e.g. from 6 to 8 characters) and the introduction of numbers, upper case letters, and punctuation can increase this time from a matter of minutes to centuries, making a strong password very difficult to ‘crack’. When choosing a password, users should also avoid terms that could be easily guessable by humans, such as the names of family members or pets, dates of birth, and the frequently used ‘password1’.
2. Re-use. With the sheer number of logins required every day, from simple tasks such as checking your email or updating your status on a social network to completing financial transactions, it’s tempting to re-use the same password across many different websites. Despite the apparent convenience, this should be avoided as it reduces the security of each login to that of the least secure service. Whilst it’s probable that your online bank will have water-tight security in place, this is less likely at your local sports club’s site, where a leak of a shared username and password could compromise both accounts.
3. Storage. Strong and varied passwords are no good if they are open to easy discovery by being stored insecurely. Applications should never store passwords in ‘plain text’, but instead use an encrypted format which cannot be reversed, often referred to as ‘one-way hashing’. This means that access to a list of usernames and passwords via a successful hacking attempt or even accidental publication would not in itself grant unauthorised access to user accounts. Users themselves should avoid writing passwords on notepads left on desks or post-its stuck to monitors: a safe way to remember many different logins is to store them in a file which is itself securely encrypted via a single ‘master’ password.
4. Transfer. It’s equally important to ensure that passwords are never transferred insecurely, in particular by email, which can be intercepted and read by any third-party who is monitoring (or ‘sniffing’) network traffic. For this reason, websites should take particular care when handling forgotten/reset password functionality, which is a common source of security holes. For users wishing to communicate login details to a colleague, a better alternative is to send the username by email, and the password separately via phone call or text message: although each in itself is an insecure channel, the use of different methods makes discovery of the complete login less likely.
5. Locking. There are two senses in which ‘locking’ can be used to further increase password security. The first is for a user’s login to be ‘locked’ to a specific IP address or range. In contrast to referrer-based restrictions, it is not possible to effectively ‘spoof’ an IP address, meaning that even with access to the correct username and password a remote hacker would be unable to gain access. Secondly, an application can ‘lock’ a user’s account following a given number of failed login attempts, short-circuiting any attempt to guess passwords via ‘brute force’ techniques. Used in combination, these can provide a useful extra level of password security.