Passwords and Security

Cybersecurity (or lack thereof) is a disaster. Every website in the world is under constant attack by networks of automated hacking robots (bot nets) checking for weak security.

Everyone should use a password manager such as PasswordSafe or BitWarden . These tools will generate a different random password for each account/website you use and store it securely encrypted. You “open” your safe by entering a master password which then decrypts all the stored information. The tools will also let you securely store things like the URL of the website, and some free form information like account numbers. All you need to memorize is one master password (make it something good – an unusual phrase).

Because so many sites use bad security practices, there are now massive databases of hacked usernames and passwords available. This would have been impossible if companies followed best security practices of even 30 years ago. This means you are particularly vulnerable if you use only one or a few passwords for many sites. Even if your password is good, you re depending on the developers of the website you entered that password into for its security.

Using different randomly generated passwords for each website means that even if one site uses bad security practices and is hacked, ONLY your account at that site is compromised, not all of your accounts.

Developers: NIST has issued guidance on password practices that are quite good and everyone who writes software that requires password authentication should read this:

https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines

Some of the simple things you can (and must) do that have been common practice since at least the 1990s:

  • Don’t store passwords. Anywhere. Not plaintext or encrypted. You should only store a one-way hash of the salted password. Even ancient hashes like MD5 are much better than storing plaintext or encrypted passwords, but there’s really no excuse for using anything weaker than SHA256 or better these days.
  • Use password spinning: after every N failed attempts, add a small (1-3 second) delay. This effectively prevents brute-force/rainbow hacking.
  • Test new passwords against a database of known hacked passwords. (no “OpenSesame”)
  • Require reasonable minimum password lengths. (no “123”)

Not from the 90s, but probably a good idea these days:

  • If you have a fast and easy way to do 2FA (e.g. biometric), use it.

Some things you should NOT do (and that drive me crazy when I see it):

  • Require users change their passwords frequently – this is just nuts; it drives users crazy and incentivizes them to use simpler and easier to remember passwords.
  • Have special characters users must/can’t use in their passwords. This discourages the use of good random password generation and is even worse without it.
  • Disallow users from seeing the password as they type it (that should be an option)
  • Time-consuming 2FA methods (like text messages or validator apps) for things that don’t need that level of security. It introduces a super-annoying delay in accessing your data/app. Biometric 2FA is OK.