DEV Community

Discussion on: 10 best practices to protect your users’ data (and why they’re still not sufficient)

Collapse
 
madhadron profile image
Fred Ross

Two points here:

  1. Please don't use an elaborate password policy. Policies like "8-16 characters, including one uppercase letter, one lowercase letter, and one number" are not useful. Instead, impose a minimum entropy of the password. Obligatory xkcd: xkcd.com/936/

  2. Even before you get to the actual security of data, you need to first ask how you mitigate a compromise. Wikipedia needs backups to restore in case the site is erased, but doesn't need to protect the data from being viewed. A CIA system for communication with agents, on the other hand, needs a plan for extracting those agents and any handlers that may be compromised, and then rebuilding the networks that were compromised.

Before you store any data, figure out what you need to do to make all parties whole. The cost of doing that determines what level of security you need.

Collapse
 
dmfay profile image
Dian Fay

Requiring periodic rotations is another bit of conventional wisdom that makes sense until you remember that you're dealing with people. Password managers, minimum entropy requirements, and 2fa give a lot more bang for your buck overall; rotations can help in certain sensitive circumstances but they're a bad general remedy. Most users already find password management painful, and asking them to do it all over from scratch every few months introduces all kinds of opportunities for doing it poorly.

Collapse
 
tisnard profile image
Timothee Isnard

Completely agreed on annoying password policies, but I think it's important to balance that with helping users who manage to reliably top the bad password lists!

I'd encourage websites who want to go the extra mile to integrate with the "Pwned Passwords" API of HaveIBeenPwned.com and high-quality password strength estimators like zxcvbn instead.