Password guide for developers

• The password basics for developers
• Always use encryption
• Choosing the right encryption method
• Validating user input
• Ask for strong passwords
• External resources

The password basics for developers

Handling and storing passwords is not a trivial thing. Nowadays is quite common to see daily news of companies having problems with their database being hacked. The truth is that most of these problems wouldn't happen if application developers and administrators would have taken the recommended steps towards secure systems. Nowadays with cloud computing and social engineering, it's easy to break systems and cheat on people. Cracking passwords now can be done in a matter of seconds. Fake emails will lead people to phishing websites where they provide their access details, without even suspecting that they're not where they think they are.

Let's talk about some basic points.

• Use encryption whenever possible. Well, that means always!
• You shouldn't be able to figure out a user password, not even when you have direct access to the location where it's stored (a SQL database or in-memory, for example).
• Users shouldn't be able to enter weak passwords. For end users the system must enforce at least medium passwords, and for administrators it must require strong passwords. Check our code examples to learn how to do this.

Always use encryption

No exceptions. Storing, sending and receiving password details should be always done using some kind of encryption, preferably one that you can't revert (Cryptographic hash functions like MD5 or SHA).

Storing a password in clear text will make it completely vulnerable to anyone who gets access to the location where it's being stored. Dodgy employees, former DBA's, and of course hackers. Ideally you should never store the password itself, but just a representation of it to make it possible to compare the values during the authentication process. And that's what happens when you encrypt the password value.

Transmitting a passsword in clear text will make it vulnerable to end points that might have been hacked somehow. It could be a background packet sniffer running in the server or the client machine for example. Sending and receiving passwords in an encrypted format will make things much more difficult to attackers.

Choosing the right encryption method

Deciding which encryption algorithm to use is not a show stopper. All the major algorithms already have implementations for all main platforms and frameworks. What affects your decision is the algorithm strenght, scalability and performance.

• Hash functions are one way only, so in theory you can't decrypt a hash value back to its original data. Hash algorithms are also quite fast. For these 2 reasons, storing and transmitting passwords as hash values is usually the best option.
• Symmetric algorithms uses one shared key to encrypt and decrypt values. Symmetric encryption is usually much faster than asymmetric encryption, but is not as secure because all the parts must know the unique encryption key.
• Asymmetric algorithms uses different public and private keys for encryption and decryption. This makes it quite secure, as you don't have to share your main key, but just your public key, which is ideal for confidentiality. It's usually much slower and resource intensive than symmetric encryption.

So which one? Passwords were created for authentication, to make it possible for you to to identify yourself in a system. So no one else should know this value, just you, right? Not even the server itself. That's why storing and transmitting passwords using hash cryptography is recommended. The system only needs to compare what the user has entered to what is stored in its database. The password itself doesn't matter.

Validating user input

Always validate user input! Not just make sure that users can't enter weak passwords, but also to prevent bots from trying to break into your application. A normal user will never try to login more than 5 times in less than one minute. For example, you can block the user session and IP for a short period of 1 hour in case they try to login using the wrong password more than 3 times in less than 1 minute. Also you might block the user account and raise a security alert if you identify more than 10 login attemps in less than 30 seconds.

Ask for strong passwords

If you check our user guide, you can see the list of basic rules for choosing strong passwords. Stuff like password length and complexity (letters, numbers and symbols), you should always check for these things before accepting it during the registration process. We have some code examples to help you.

External resources

Check our news section to stay informed!

Revision: 25th August 2010