Payload Logo

N.2: Password Implementation CheatSheet

Author

Norbert Takács

  • All printable ASCII characters have to be supported.
    • You have to assume that your users will want to use all types of languages and layouts. Support all printable ASCII characters and optionally full Unicode character sets
  • Show password
    • Showing the user the password is not harmful. This is especially beneficial on tablets and phones, where the onscreen keyboard can cause mistakes.
  • 12-16 characters minimum
    • This is the minimum required to defeat brute-force attacks.
  • Allow paste
    • Not allowing pasting of passwords discourages users from using password managers.
  • Password expiry:
    • This incentivises users without password managers to reuse old modified passwords. Instead, the passwords they create are semi-unique and not memorable anymore. They are often stored in plain text to be remembered.
  • Don't force special character rules.
    • Special characters don't make passwords more secure.
  • Don't limit password length
    • Passwords are hashed to the length of the hashing algorithm output. There is no need to limit the password length artificially. Maximum password length is a symptom of companies storing passwords in plaintext.
  • Don't use password hints or security questions.
    • These questions can often be answered from social media.
  • Individually salt passwords
    • This prevents attacks using precomputed hashes, and it ensures that even if two users have the same password. Their hashes will be different. This is already done by the following recommended hashing algorithms:
      • argon2i
      • bcrypt
      • scrypt
  • Require MFA
    • This is important for secure calls. If a user requests to change their password, ask them to authorise with MFA. SMS, Email code, and OneTimePassword are all valid MFA options.
  • Check against breached user/pass pairs.
    • Have-I-been-pwned and Spycloud both offer API-s for verifying if the user's credentials have been compromised.
  • High-cost hashing
    • Use hashing algorithms that allow you to change the hashing cost. This makes hashing more CPU/RAM intensive. High cost will also slow you down when hashing passwords since your algorithm will consume more compute resources, but it's important to use since it prevents attackers from breaking hashes at high speed using GPU/ASIC brute force attacks. Argon2i, bcrypt, and scrypt all support setting the cost.
  • Throttle brute force attempts
    • Implement rate limiting and monitor login attempts to prevent actors from brute forcing user logins.
  • Block context-specific passwords
    • This includes but is not limited to passwords which reuse the service name in the password. PW:mypassword-instagram
  • Check against a list of common passwords.
    • For example, the PwnedPasswordsTop100k.txt from the National Cyber Security Centre. This has to be done when setting or changing passwords.

Source: OWASP

Join the Discussion on github