Trevor Burnham

Sure, it works in practice…

Stronger Passwords for a Stronger America

January 21st, 2010

Laptop secured with 4096-bit RSAOne thing that struck me when I was devel­op­ing Quocial last summer was that I was spending a stag­ger­ing amount of time on details that had little to do with the core func­tion­al­ity of my site. Thou­sands of little things go into making a webapp that works the way people expect. And yet, even when using a convention-​​over-​​configuration frame­work like Rails, devel­op­ers con­stantly stumble into common problems and spend hours rein­vent­ing common solutions.

So, I’ve decided to start cat­a­loging these frequent sticking points. Even­tu­ally, I’d like to organize them into a book, ten­ta­tively titled The Web Appli­ca­tion Check­list. But for now, I’m just going to post them here on an as-​​I-​​think-​​of-​​them basis, with the tag wach. These entries are rough drafts and subject to heavy revision.

Today’s item: pass­words. If your appli­ca­tion has enough of a need for security to require a password, it should require a good password. So when a user tries to create an account secured by the string 123456, just don’t let them. If their password is in the first 10,000 guesses that Password Recovery Toolkit might try, tell them to pick another. Then imple­ment some kind of throt­tling and/​or CAPTCHA. If you fail to do this, accounts will be hijacked. This goes double for admins: As Twitter learned, you can’t even trust your own col­leagues to pick good passwords.

Each time someone picks a password, run it by the Top 500 Worst Password of All Time. Reject it if it differs from anything in the list only by one or two char­ac­ters. There ought to be a good, standard, open-​​source library for doing this, but I’m not aware of any (sug­ges­tions?), so you might have to hack together some regex yourself.

And, for those of you who’ve never done this before, don’t forget to only store the hash in the database, and salt the hash. Here’s why.

[Update, 1/​21: Here is a nice overview of security concerns for webapps, includ­ing pass­words. And here is some JavaScript code used by Twitter after The Incident to reject common passwords.]

Tags:   No Comments

0 responses so far ↓

Comments are closed.