Password Strength & Security 🤔

Devanand Premkumar
11 replies
Hi Makers, Creators & Founders, As users of various applications, we are forced to select a password based on the individual rules and requirements including complexity, number of characters, lower and upper case. In your experience, what do think makes a password safe? 💡 1. Password is never safe 2. characters in length = 8 3. characters in length > 12 4. Stored in password managers 5. Avoid using previously exposed passwords I am curious to understand from the perspective of end-users, which makes them feel safe with password characteristics. Let us learn from our own experience on how we have implemented password security in applications.

Replies

Software Engineer
From my experience, the most secure password is the one the user can easily remember. Forcing a user to use a complex password might increase the security of the app, but it also forces the user to write down the password which could easily be stolen. What I usually do is to either combine security questions or use an OTP when they have entered the wrong password 3 times. And at the same time, I make sure that I do not store passwords in plain-text or encrypt them. I use password hashes
Share
Security Researcher
@rotimi_je_suis I totally agree with you as the complex password enforcement would lead to poor security practices. In fact, NIST800-63 clearly provides detailed guidelines and suggests avvoiding complexity on any kind of a password. They suggest avoiding using previously exposed passwords and force people to change only when there is a potential leak of such sensitive details. I had written a bit more in detail about this requirement at: https://blog.xposedornot.com/nis... One question I want to ask is how have you implemented the password requirements in your applications? Please let me know.
Software Engineer
@devaonbreaches I'll read your blog post. What I usually do is to enforce that the user has a number and or a special character at the most. Then I make sure the password is hashed and not encrypted. This way, even if my DB is compromised the password won't be exposed. Also in the event that the user wants to reset their password, I make them answer security questions coupled with an OTP
Security Researcher
@rotimi_je_suis I understand the enforcement of number and special character as it is pretty common. The second factor including OTP is a good option to try as well for password resets.
Share
Previous PM @ Snap | Building cool s**t
I would say that a password is never safe as long as it depends on a human to keep it safe lol My experience at my previous work is that security for sensitive applications was always kept out of the hands of a human. For personal, I would say my greatest security is making sure 2FA is enabled if its available. Everything you mentioned (1-5) I would say are just small details in between.
Share
Security Researcher
@alex_arevalo You are right Alex on that. Passwords by their inherent nature are no longer safe if they are not combined with 2FA or MFA. But as a maker, what do you think of avoiding passwords which are exposed in a previous breach? For example, the password "Password!23" would satisfy almost all requirements including longer than 8 characters, has upper and lower characters, has special character. However, this is one of the passwords which are pretty much exposed for a very long time. Do you think a strong and unexposed password combined with 2FA/MFA would help to secure our applications?
Previous PM @ Snap | Building cool s**t
@devaonbreaches I would say that would do the job in the beginning. Unless you are pushing major market attention that would attract hackers or you are harboring very sensitive information that hackers would find valuable, this should take care of 99.9% of your problems.
Share
Exploring Psychology @ Psych.email
I would say that the best password is the one which is strong, easy to remember for user and yet complex. Sometimes, you can do that by using no password at all, if you are looking for authentication.
Share
Security Researcher
@realdesigntack Totally agreed 100% The best way to get a safe and secure password is to make it easy to remember and yet complex. We can use combination of common words in a form that is easy to understand. "I-do-love-my-projects-all4ever" would sure qualify as an example of the password created through the method you have highlighted. Am I right Vaibhav?
Exploring Psychology @ Psych.email
@devaonbreaches I am not sure if you understood my point or not. I have mentioned 3 things, 1. Strong 2. Easy to remember FOR USER 3. "yet" complex I did NOT say to use combination of common words in a form that is easy to understand. If you read again, I said something which is easy to remember for user, doesn't matter for machine. Machines can store it and access them anytime from database of humongous data. Not the same thing for a human. (unless your user is a robot). So, While I would love to have "I-do-love-my-projects-all4ever" as my password because it is easy to remember, it should be the job of maker/ platform owner to keep it safe and encrypted. No one would like to remember "6jpchN^z<>fDX;bP" as their password (instead they'll use a pass manager for it).
Security Researcher
@realdesigntack You have a valid point. To clarify, you said it should be easy for the user, and hence that sample password was used. I just gave a quick example to meet the requirements highlighted by you and not exactly forcing the expectation to have common words in passwords. In the backend it needs to be kept safe and not exactly in plain text .and we should be using the password hashing algorithms like bcrypt to convert the "I-do-love-my-projects-all4ever" to "6jpchN^z<>fDX;bP". So every time when you are using the same easy to remember a password, the system or application would convert it to respective hash and verify against the stored one and validate. Or the next best alternative is to use a password manager as you have rightly pointed out. They can even have "6jpchN^z<>fDX;bP" as their password even though they don't need to even remember as the password manager will handle the role of that for them. Trust it is clear now.
Share