Passwords are still the primary method of authentication today, in a form of something you know. Humans are lazy, often resulting in low entropy and reused passwords.
Magnitudes of research and thought have been put into protecting passwords. They are known as the simplest form of a challengeβresponse authentication scheme.
Because the challenge "What is your password?" is repeated, so is the response, opening the door to possible replay attacks.
Choose the Right Hashing Algorithm
Argon2 is a key derivation function, the winner of the password hashing competition and should be used for new projects. In case it isn't available, use Scrypt. Any other KDF is nonoptimal.
Argon2's "i" variant is resistant to side-channel attacks, while "d" variant is resistant to time-memory tradeoff attacks. "id" is the hybrid variant, resistant to both and suitable for most purposes.
Make sure to use "id" variant of Argon2.
Salt Hashes Properly
Salts are closely related to nonces, however, nonces are for communication protocols, not hashing. Nonces protect against replay attacks, while salts protect against precomputed hashes(aka rainbow tables). It's important to separate them, as they aren't protecting against the same things.
The only requirements of salts are to be unique to each hash and public, however, they should be unpredictable to prevent precomputing future hashes.
A cryptographically secure pseudo-random number generator output of 32 bytes will produce an unpredictable, and unique value.
"Pepper" Hashes Properly
If you've been around the internet, researching password salts, you've probably heard of the "pepper". It is a cryptographic secret(secret key), that must be unpredictable and unique to each application, used in a hash function.
Wait ... sounds a lot like an keyed-hash message authentication code, right? That's because it is. One must be extremely careful implementing "peppers" because it can lead to length extension attacks and nasty problems with Bcrypt.
Argon2 actually implements a secret value
in the official spec as an optional argument to act as a "pepper". If you're using an implementation that does not support the secret value
, encrypt the hash. If you're not using Argon2, encrypt the hash.
Do not waste your time implementing both a "pepper" and encrypting the hash. You gain no practical benefit. And you might want to store your cryptographic secrets in a hardware security module.
Libraries & Services
You SHOULDN'T be rolling your own authentication system in production, use pre-made libraries and services. But you should learn how to implement them and how they work.
If you're a PHP developer, use the built-in password_hash
function. Or even better, use Halite. Be sure to use PHP 7.2 and above. Take note that the default password hashing algorithm for PHP is Bcrypt.
Use Halite to hash then encrypt your passwords. An encryption key is required by the library for storing passwords.
PargonIE\Halite\Password::hash($_POST["password"], $encryptionKey);
Another great post about how you should hash passwords in many different programming languages.
Perhaps a third-party solution?:
Use a Reasonable Policy
- Maximum length of no less than 128 characters.
- Minimum length of 12 or 16 characters.
- Support almost if not all Unicode and whitespace.
- Decline known passwords via HIBP API.
- Decline passwords matching the identifier, e.g: email, username.
- Don't enforce special characters, uppercase, lowercase, symbols, etc.
- Don't truncate, sanitize, or format their passwords in any way shape or form!
- Don't prevent them from copying and pasting into the password fields.
- Don't limit what they can or cannot put into the password fields.
- Don't require password changes every so often.
What matters most, is the length(more so) and entropy. If you feel still inclined to enforce the character set above, don't. Enforce multi-factor authentication instead, their accounts will be far better with it.
If you enforce that character set, you run the risk of them writing it down, forgetting it, annoying them, or choosing a weak password. You can also cause users to write down their passwords if you enforce password changes.
As pointed out by @nylen , perhaps calculate the Levenshtein distance between the password and the identifier and decline passwords within a dangerous distance. Of course with a reasonable minimum distance.
Finally Encourage Good Practices
Encourage the use of diceware, passphrases, password managers (like BitWarden), and multi-factor authentication(FIDO and TOTP protocols).
Discourage passwords with personal information like names, dates, birthdays, etc. Or sharing them if at all possible.
Notes
- Protect your communications with TLS 1.2 and newer, the successor to the SSL protocol. Otherwise sensitive information(passwords) will be exposed, rendering your state-of-the-art hashing useless.
- Do not implement SMS for multi-factor authentication! They're easily exploitable via SIM swap scam, and spoofing phone numbers to obtain verification codes.
Latest comments (41)
such a great post! the use of password managers is awesome, I've been using it by a while and there are so much good benefits on it, even the auto generated random password functionality
Great article! I think that already a combination of minimal length (12-16) and MFA drops chances of password cracking significantly :)
This is a very good article, but one thing I'd like to point out is that if you're allowing Unicode passphrases (which in itself is a good idea), you definitely need to normalize them (to any form you wish, as long as it's consistent) before hashing them. Otherwise, you risk ending up with different hashes that don't match just because the Unicode representation of the password is different.
I wrote an article about the need for Unicode normalization a few months ago: withblue.ink/2019/03/11/why-you-ne...
I would go so far as to strongly recommend against engineers implementing the password hashing routine for themselves. That requires some additional knowledge like how many rounds to use, memory optimization and how to avoid edge cases that open you to attacks (e.g. Argon2i with 1-2 passes, bcrypt as mentioned). While they should understand the principles it's best to rely one of the many robust, tested, peer-reviewed libraries that exist for most platforms.
re: TLS
Thankfully as of 2020, the browser-based internet effectively won't function on anything less than 1.2. It's about damn time :) Doesn't protect headless clients, but it's a step in the right direction.
Agreed, developer shouldn't even be doing the password hashing. I entirely forgot about the 1-2 passes issue with Argon2i, thanks for reminding me. And yes, it's about time we get TLS 1.2 and newer pushed to everybody.
To mitigate the attack there needs to be 3 or more passes with 10 or more passes over memory.
And again, too complicated for your average web developer who barely do any math in their day-to-day job who've got deadlines to meet. :)
I'm trying to find more edge cases, but no avail. Although I've already done massive amounts of research, trying to put together a post with everything about passwords and all the edge cases that come with is a little difficult. There is definitely a long list of issues and practices to avoid.
Nice article Nathilia!
Greetings from Brazil.
Thank you!
Awesome article Nathilia, thank you!
Great article.
For lazy guys, PHP has password_hash() function to hash passwords. It will automatically generate salt value for you.
Best
cloudinvent.com/
Very interesting article. Thank you! I wish to have this info updated every 6 months, so developers could easily have an update about recent hashing algorithms just invented or ready-to-use in production. Also, it would be nice to add list of libraries/frameworks for different programming languages that support such hashing algorithms out of the box. It's not always possible to track this information when you deeply work on the product or features, but it's important.
Very nice article. Though you forgot one very important rule: "use adequate measures for the purpose." One of the worst things a dev can do is like enforce a 15 char password with numbers, upper and lowercase letters and at least one special char for an kids account to a game where I dont even have the option to buy anything. If thats for my bank account, ok, I get pissed but understand the idea.
I love the article, I think it is a good read and dev should know these principles.
However, I think when possible you should use things like an OIDC provider when applicable, especially if you want MFA.
If not and you need to hash password yourself, find a well-vetted library that does this for you including salts, peppers and fried unions ;). Crypto is hard and nobody should implement it themselves unless you are a crypto genius and many devs (incl myself) are probably not.
You do have to keep the libraries up to date of course.
Anyway, great write! Love the way you explained things. Thanks!
I agree - great article :)
Regarding the use of federated authentication via protocols such as OpenID Connect (OIDC), I would say it depends on the application context: in a large number of commercial / enterprise situations, then it's very helpful to plug into a companies existing SSO solution where your app becomes part of their suite of tools and doesn't add to their user management pain - a big selling point IMO; in high security scenarios (eg: SIEM access, board meeting record system, privileged access management) or otherwise isolated environments (eg: air-gapped NOC/SOC tools), then it may not be possible to connect to an SSO solution, and it's good to know how to create a trustworthy local authenticator.
Why not use SMS?, see Note: Do not implement SMS for multi-factor authentication!
SIM swaps can be done without the user's knowledge or consent and thus SMS codes are possible to intercept.
Because it's easy to do SIM swam scams, spoof phone numbers, etc. It's another personally-identifying bit of information that we shouldn't need for authentication.
As attacks become more efficient, we're moving to better solutions like YubiKeys and TOTP-based authenticator apps. Both of which are still fairly easy to use.
What about simple variations of the username, like
myusername
with passwordmyusername46
? I know for a fact that attackers are looking for this common pattern.I think enforcing a minimum Levenshtein distance between the username/email and the password would be a reasonable measure, but I haven't seen this done before. I'd probably also consider sorting the characters first to catch reversals and other permutations. Do you see any problems with this?
Other simpler techniques such as a substring match would not be such a good idea because a long password that contains a short username should be fine.
Great question! That's an extremely good idea, although I haven't seen this done either. I'm sure someone's already implemented Levenshtein distance calculators in various programming languages.
Something definitely to look into. It's no worse than checking if the password is known, as long as the required Levenshtein distance is balanced, but not sure what that would be.
Good suggestions.. But the best is, there is no need to do this yourself. Use Auth0, AAD, AWS Cognito,... Lots of good Auth as a Service options that allow you to not worry about this. As MFA continues to evolve (are YOU going to write FIDO2 support code?) it makes sense to leverage a service for this.
The downside is these are often a nightmare to debug when something goes wrong. Auth0, I'm looking at you here.
Offtopic: James, sorry to hear about your challenges when it comes to debugging in Auth0. If you have any specific feedback on what we can improve or details about the challenges you faced, feel free to shoot over an email to sandrino at auth0.com
Thank you. Unfortunately, someone has to do it. I'm certainly not recommending every software developer to go out there and implement their own authentication system.
And at the very least, software developers should know how to do it properly / understand how it works and should be, even if they don't implement it themselves.
While people keep suggesting to go use an existing service to solve their authentication problems, what if the developers maintaining the existing services don't implement things correctly?
And using existing services is not always ideal.
Everyone makes mistakes, even the experts.
Excellent work in breaking down the policies and reasons behind them. There's lots of work to be done by existing companies, but your ground-up approach of educating developers is great. Kudos to you!
Try double hashing once on the client and once on the server ;)
Would you care to share if this is good, bad, and why we should or shouldn't take this approach? In most cases, I don't see this adding much benefit.
Although, I could be wrong.
Some comments may only be visible to logged-in visitors. Sign in to view all comments.