Passwords are still the primary method of authentication today, in a form of something you know. Humans are lazy, often resulting in low entropy an...
For further actions, you may consider blocking this person and/or reporting abuse
Good suggestions.. But the best is, there is no need to do this yourself. Use Auth0, AAD, AWS Cognito,... Lots of good Auth as a Service options that allow you to not worry about this. As MFA continues to evolve (are YOU going to write FIDO2 support code?) it makes sense to leverage a service for this.
Thank you. Unfortunately, someone has to do it. I'm certainly not recommending every software developer to go out there and implement their own authentication system.
And at the very least, software developers should know how to do it properly / understand how it works and should be, even if they don't implement it themselves.
While people keep suggesting to go use an existing service to solve their authentication problems, what if the developers maintaining the existing services don't implement things correctly?
And using existing services is not always ideal.
Everyone makes mistakes, even the experts.
The downside is these are often a nightmare to debug when something goes wrong. Auth0, I'm looking at you here.
Offtopic: James, sorry to hear about your challenges when it comes to debugging in Auth0. If you have any specific feedback on what we can improve or details about the challenges you faced, feel free to shoot over an email to sandrino at auth0.com
Great article! I liked the Reasonable Policy part but didn’t quite got why special characters are not enforced.
For other readers extended reading (curious or otherwise): i wrote an explanation of salt and peppers (Web Authentication Universal Prinicpals) for software developers. I cover the coding angle of it with in depth illustrations and example.
dev.to/dpkahuja/learn-and-build-we...
Thank you!
I don't know how many times I've been annoyed dealing with that. It should stop at the length requirements, checking for known passwords, and passwords as identifiers.
Simply put, it can have a bad impact on UX, often gaining no benefit, or doing the opposite.
Beyond a minimum and maximum length, password rules are pretty terrible, despite what the math may say about a brute-force attack for those short complex passwords. History should tell you those short complex passwords are not good.
Yes. And one more thing in UX i have seen, they tell you after your first password creation attempt what is expected from it. Quite a bummer
What do you think about comparing the password to a list of X most common passwords and not allowing it?
I think it's a good idea, as I suggested in the article.
I'd also like to point out that the NIST too recognizes that password complexity requirements are not a good thing: pages.nist.gov/800-63-FAQ/#q-b10
Nice article on these difficult concepts! At the same time I think for most of applications, it's better to not ask user to create yet another password. Most of users don't use password manager and reuse the same password. I wrote an article to actually discuss about this point:
dev.to/simplelogin/why-you-shouldn...
I agree with you! However, solutions like SQRL seem like a much better approach to replacing passwords. Where the client is in control of their data, instead of a third-party.
Identity providers can be convenient, but back when I was an average user, I never once used them. Perhaps that's just me, even before I was security and privacy-oriented I tried to never have my stuff all linked up to one account.
I think the future is developers writing installable applications (leaving the clients in control of their data) that are free(as in freedom), open-source, and decentralized(distributed).
Lately, it's just been scary with how much information is collected about us.
Simply put, I think your solution(and nearly all identity providers in the form of third-party servers) is half-solving current problems, but for us to move forward we need to push harder.
And I can see applications being built in the future probably not too far, that are easier to use than SQRL, probably again in the form of asymmetric key cryptography.
This article is especially for you, for people and services who store credentials.
Thanks for your insights!
Ease of use
is very important and that's the main reason why OpenID 1.0 is replaced or SQRL is not popular.I don't know about the roadmap of other identity providers but for SimpleLogin, we want to make it open-source so that anyone can setup one for themselves if they want to have total control on the data.
Very nice article. Though you forgot one very important rule: "use adequate measures for the purpose." One of the worst things a dev can do is like enforce a 15 char password with numbers, upper and lowercase letters and at least one special char for an kids account to a game where I dont even have the option to buy anything. If thats for my bank account, ok, I get pissed but understand the idea.
What about simple variations of the username, like
myusername
with passwordmyusername46
? I know for a fact that attackers are looking for this common pattern.I think enforcing a minimum Levenshtein distance between the username/email and the password would be a reasonable measure, but I haven't seen this done before. I'd probably also consider sorting the characters first to catch reversals and other permutations. Do you see any problems with this?
Other simpler techniques such as a substring match would not be such a good idea because a long password that contains a short username should be fine.
Great question! That's an extremely good idea, although I haven't seen this done either. I'm sure someone's already implemented Levenshtein distance calculators in various programming languages.
Something definitely to look into. It's no worse than checking if the password is known, as long as the required Levenshtein distance is balanced, but not sure what that would be.
I love the article, I think it is a good read and dev should know these principles.
However, I think when possible you should use things like an OIDC provider when applicable, especially if you want MFA.
If not and you need to hash password yourself, find a well-vetted library that does this for you including salts, peppers and fried unions ;). Crypto is hard and nobody should implement it themselves unless you are a crypto genius and many devs (incl myself) are probably not.
You do have to keep the libraries up to date of course.
Anyway, great write! Love the way you explained things. Thanks!
I agree - great article :)
Regarding the use of federated authentication via protocols such as OpenID Connect (OIDC), I would say it depends on the application context: in a large number of commercial / enterprise situations, then it's very helpful to plug into a companies existing SSO solution where your app becomes part of their suite of tools and doesn't add to their user management pain - a big selling point IMO; in high security scenarios (eg: SIEM access, board meeting record system, privileged access management) or otherwise isolated environments (eg: air-gapped NOC/SOC tools), then it may not be possible to connect to an SSO solution, and it's good to know how to create a trustworthy local authenticator.
I'm going to look at this as my current defacto password resource. I don't deal with a lot of user creds, but I always find myself looking for what the best algorithm I should use is, or how I should salt hashes. Also, I never heard of "pepper" before, but I guess I shouldn't be surprised because of how much programmers love to give names like this to things. Thanks for the article!
You're welcome! And yes, developers do that. "Pepper" is just a cryptographic secret used to make an HMAC in terms of password hashing. Therefore it isn't actually a "pepper". Merely a nickname. :)
I would go so far as to strongly recommend against engineers implementing the password hashing routine for themselves. That requires some additional knowledge like how many rounds to use, memory optimization and how to avoid edge cases that open you to attacks (e.g. Argon2i with 1-2 passes, bcrypt as mentioned). While they should understand the principles it's best to rely one of the many robust, tested, peer-reviewed libraries that exist for most platforms.
re: TLS
Thankfully as of 2020, the browser-based internet effectively won't function on anything less than 1.2. It's about damn time :) Doesn't protect headless clients, but it's a step in the right direction.
Agreed, developer shouldn't even be doing the password hashing. I entirely forgot about the 1-2 passes issue with Argon2i, thanks for reminding me. And yes, it's about time we get TLS 1.2 and newer pushed to everybody.
To mitigate the attack there needs to be 3 or more passes with 10 or more passes over memory.
And again, too complicated for your average web developer who barely do any math in their day-to-day job who've got deadlines to meet. :)
I'm trying to find more edge cases, but no avail. Although I've already done massive amounts of research, trying to put together a post with everything about passwords and all the edge cases that come with is a little difficult. There is definitely a long list of issues and practices to avoid.
Great article! Should also mention you should transport passwords through a secure line.
💯, I've always wondered why some websites prevent this action
Thanks! I'll be sure to add that.
It’s a bit Alu-Hatty, but right! As the saying goes: just because you are paranoid, does not mean, they are not after you. 😬
Just kidding... very well written and absolutely true. Especially about the character set. Passwords are the ONE case, where length (and I’d say only length) matters.
Thank you! And yes, length(more so) and entropy are what matters.
Very interesting article. Thank you! I wish to have this info updated every 6 months, so developers could easily have an update about recent hashing algorithms just invented or ready-to-use in production. Also, it would be nice to add list of libraries/frameworks for different programming languages that support such hashing algorithms out of the box. It's not always possible to track this information when you deeply work on the product or features, but it's important.
This is a very good article, but one thing I'd like to point out is that if you're allowing Unicode passphrases (which in itself is a good idea), you definitely need to normalize them (to any form you wish, as long as it's consistent) before hashing them. Otherwise, you risk ending up with different hashes that don't match just because the Unicode representation of the password is different.
I wrote an article about the need for Unicode normalization a few months ago: withblue.ink/2019/03/11/why-you-ne...
Why not use SMS?, see Note: Do not implement SMS for multi-factor authentication!
Because it's easy to do SIM swam scams, spoof phone numbers, etc. It's another personally-identifying bit of information that we shouldn't need for authentication.
As attacks become more efficient, we're moving to better solutions like YubiKeys and TOTP-based authenticator apps. Both of which are still fairly easy to use.
SIM swaps can be done without the user's knowledge or consent and thus SMS codes are possible to intercept.
Nice article Nathilia!
Greetings from Brazil.
Thank you!
such a great post! the use of password managers is awesome, I've been using it by a while and there are so much good benefits on it, even the auto generated random password functionality
Excellent work in breaking down the policies and reasons behind them. There's lots of work to be done by existing companies, but your ground-up approach of educating developers is great. Kudos to you!
Great article.
For lazy guys, PHP has password_hash() function to hash passwords. It will automatically generate salt value for you.
Best
cloudinvent.com/
Awesome article Nathilia, thank you!
Try double hashing once on the client and once on the server ;)
Would you care to share if this is good, bad, and why we should or shouldn't take this approach? In most cases, I don't see this adding much benefit.
Although, I could be wrong.
Great article! I think that already a combination of minimal length (12-16) and MFA drops chances of password cracking significantly :)