I recently wrote a series of blog posts about how we handle users’ passwords at Meebo: post 1, post 2 and post 3. Here’s a collection of that same information, distilled into a set of do’s and dont’s written specifically for developers of websites.
- When accepting a user’s password on a web page, DO use https to serve all files that make up the page where the user will enter his password.
- When accepting a user’s password on a web page, DO use a POST request to an https destination.
- When using a password to authenticate a user, DON’T store the password in persistent storage in plaintext or any reversable format.
- When using a password to authenticate a user, DO store a cryptographically secure hash of the password. NIST publishes a recommended list of hashing algorithms, with the SHA-2 family of hash functions being recommended for all new applications and protocols.
- When storing the hash of a password, DO add a salt to the password before hasing. This salt prevents a hacker from using a rainbow table to reverse password hashes. More information.
- When comparing two passwords for equality, DO use a comparison function with a fixed runtime to avoid timing attacks.
- When forced to store confidential user information (such as passwords for logging into another service), DO encrypt the passwords using information not stored in persistent storage if at all possible. For example, encrypt the confidential information using the user’s password as the key.