So let's get the basics out of the way. When it comes to password security, there are some things that, I hope, we all know. Things like:
- Password should allow and required both alphabetical and numeric characters
- Passwords should allow and require both uppercase and lowercase letters
- Passwords should allow and require special characters
- Passwords should probably be at least 7 or 8 characters long. If you need to have them with fewer characters, you should have a REALLY good reason for it.
- Password should be changed every [Insert period of time here]. Depending on the security level of your system this might be every month, quarter, or six months. Weekly is probably overkill, except for the most secure of systems and annually is probably too lax.
Passwords should never be, or even contain, the username.
<cfif form.password CONTAINS "#form.username#">
Now, how about some things you may not have known.
- Don't set a minimum length above 8 character (unless you have a good reason to). If you force your users to remember really long passwords they will just write them down on sticky notes and put them on their monitors.
- Don't force your users to change their passwords more often than what is appropriate for the security of the system for the same reason as above.
- Some systems out there have been known to truncate passwords to shorter lengths, perform Upper() or Lower() on them or strip out special characters (@, !, ?, #, $, %, etc) before inserting them into the database to remove complexity. They then do this to subsequent login attempt, giving the illusion of strong security. This is STUPID, never do it.
- Where possible, password should be submitted via SSL. If you are working on a professional project that costs tens or hundreds of thousands of dollars or even $1000, somebody can pony up the dedicated IP and $20 for an SSL certificate. You don't need to use it for every page, just the ones involving authentication.
- The login form itself should be loaded using SSL. While, this is not necessary, it will help you end user feel better to see the lock at the bottom of the screen. Technically, as long as the action page is posting to a secured "https://" page, the transmission will be encrypted. When the login process is complete, it can redirect the user to an unencrypted page.
- NEVER send login credentials on a URL string. This includes on background AJAX calls. URL strings do not get encrypted in SSL transmissions and are subject to being sniffed or intercepted. Always send via POST.
- On sites where usernames are displayed, for example on Social Networking sites, a "Display Name" should be used instead, and that display name should be different than the username that is used for logging into the system. Remember that the user name is fully half of the information required for authentication on the system. If you are giving away that information, then... you get the idea.
This has been a quick list of helpful tips covering some of the no-brainers, and some of the quickie suggestions that did not warrant their own blog post. Some of them will come up in others posts (like submitting credentials on the URL), and others may eventually get their own posts (like Login Names vs Display Names). Thanks for reading, I am enjoying the research I am putting into these posts and I hope that people are finding them helpful