Password Security In Web Applications: Best Practices and Anti-patterns. [1/2]

It is our responsibility as a programmer to keep passwords safe and secure. The millions of leaked passwords that we see in the news is a sign that we still have a lot of work to do.

Security is essential, and passwords are the primary authentication mechanism for web applications. Let get into some best practices and anti-patterns for building a robust, secure, and user-friendly password-based authentication system.

Client-Side implementation

The Client-Side part in any security system is the first line of defense that needs to be designed thoughtfully. One common misunderstanding is that making your app usable and human-friendly has nothing to do with your app security. As we will discuss this in anti-patterns, if your app security makes your app not usable, users tend to work around your security, which results in breaking your entire effort of building a secure system.

Best Practices:

Ban Common Passwords:

When a user registers on your system or tries to update his/her password, do not allow the use of widely used passwords, e.g., abc123 or password123. According to Robyn Hicock, Microsoft has found the practice of banning common passwords from being effective against a wide range of attacks, including brute force attacks. Do not limit your system with only one common password list and use multiple lists to have a more comprehensive password blacklist.

Remind Your Users Not To Reuse Passwords:

Many users tend to reuse passwords across different services. One study has compared two stolen password datasets and found the reuse rate was about 49%. As a result, it does not matter how secure your system is if an attacker can compromise your users’ data by stealing their password from less secure systems.

Since it is impossible to block your users from reusing their passwords, it is a good practice to put a friendly reminder in the registration or updating the password process. This is because reusing the same password for multiple systems and services is considered harmful.

Enforce Multi-Factor Authentication Registration, But Only Use It When Needed:

It is normal to have users asking to reset passwords or trying to access their accounts from untrusted devices. In these scenarios, it is crucial to add an extra layer of security to avoid attackers who simulate these behaviors to trick your system into thinking that they are your users. Multi-factor authentication is commonly used in these situations as an additional layer of protection. Microsoft reported an increase in successful and secure password recovery from 67% to 93% when using multi-factor authentication.

While multi-factor authentication is considered a good practice, using it everywhere and every time can create a burden on your users. For that reason, using risk assessment mechanisms to evaluate the need to use multi-factor authentication is an excellent balance between the security and the usability of your system.

Anti-Patterns:

Enforcing Users To Register With Very Complex Passwords:

There is a common misconception that the more complex your password is, the less likely it will be stolen. Dinei Florencio and Baris Coskun have shown that it is not all about how complicated the password is, but rather about how strong the security rules around it. For example, a complex and weak password can be on the same level of effectiveness against brute-force attacks if a three-attempts lockout is applied.

Another way that Dinei Florencio and Baris Coskun suggested to avoid enforcing complex password is to ask the user to register with a little more complicated username. This way, the attacker will have a hard time not only guessing the password but also guessing the strong username.

Other studies show that forcing users to use complex passwords encourages them to work around your security system with dangerous practices. For instance, users may write down their passwords on a piece of paper and leave it under their keyboard so that they do not need to remember the complex password each time they need it. This turns out to be an easy way for social engineers to steal your users’ passwords. A recent interview with Bill Burr, the inventor of the rules on creating safe and complex passwords, reveals his regret of inventing such a rule. He stated that the way users try to work around systems with complex passwords makes these systems less secure. He recommends that passwords should be long but easy-to-remember without any special characters.

Applying Passwords Expiration Policy:

As an extra level of security, some systems require their users to change their passwords frequently. It turns out this approach results in some severe security flaws. Anne Adams & Martina Angela have done a study that concludes that users tend to create weaker passwords each time the system asks them to reset the password. Moreover, another research shows that users pick new passwords that are related to their old ones, making the new passwords guessable if an attacker knows the previous ones.

In the next blog post, we will see how to transfer and store passwords securely.