Checklist for Keeping User’s Passwords Safe

I recently wrote a series of blog posts about how we handle users’ passwords at Meebo: post 1, post 2 and post 3. Here’s a collection of that same information, distilled into a set of do’s and dont’s written specifically for developers of websites.

  • When accepting a user’s password on a web page, DO use https to serve all files that make up the page where the user will enter his password.
  • When accepting a user’s password on a web page, DO use a POST request to an https destination.
  • When using a password to authenticate a user, DON’T store the password in persistent storage in plaintext or any reversable format.
  • When using a password to authenticate a user, DO store a cryptographically secure hash of the password. NIST publishes a recommended list of hashing algorithms, with the SHA-2 family of hash functions being recommended for all new applications and protocols.
  • When storing the hash of a password, DO add a salt to the password before hasing. This salt prevents a hacker from using a rainbow table to reverse password hashes. More information.
  • When comparing two passwords for equality, DO use a comparison function with a fixed runtime to avoid timing attacks.
  • When forced to store confidential user information (such as passwords for logging into another service), DO encrypt the passwords using information not stored in persistent storage if at all possible. For example, encrypt the confidential information using the user’s password as the key.
This entry was posted in All, Computers. Bookmark the permalink.

2 Responses to Checklist for Keeping User’s Passwords Safe

  1. Mary Frese says:

    Thank you. I found this site when looking for a safe password checklist. How thoughtful and concise. Do you know if Pearson/PowerSchool initiates any of these conventions?

  2. Mark Doliner says:

    Mary: I don’t know whether Pearson/PowerSchool initiates any of these conventions. I suggest asking them–at least then they’ll know that their users care about security.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>