So as I have been planning for my posting on Password Security Best Practices it occurs to me that this is a HUGE topic. So I am going to be doing this in multiple sections. Each section should be self contained(Although they might require multiple blog postings each).
I am gong to start out this series with a little anecdote about password security.
I was looking at the password security for a pretty widely used web application, and it seemed pretty good. They were following a lot of the good practices.
- Password must contain at least one capital letter
- Password must contain at least one numeral
- Password must be at least 8 characters long
- Password must contain at least one special character
- Password must be changed every 30 days
- Password cannot be changed to another password that has been used in the last 6 months
All in all, this looked really solid from the front. I did not see how they were storing or transmitting the passwords on the back end. I do not now what they did with the password after authenticating, I am only speaking of the basic password creation and use rules. So far, so good.
Then I clicked the "Forgot my Password" link, and everything changed. It took me to a page with a very simple question:
"What is your Social Security Number?"
Well, this seemed strange. I guess they just have a default security question that they ask everyone and if it's answered correctly then they reset my password and email it to the email address I have on file. Right?
NOPE. I entered my Social Security number and then it took me to a new page which spat my new password out right there on the screen. No additional security questions. No email to tell me my new password. No email to let me know that an account change was made. So in other words, all someone needs to access my account is my social security number, and all of those other rules mentioned above are POINTLESS. They may as well just make my password be my social security number and never have it expire.
The point of this story is, no matter what kind of security you put around something, if you leave a hole, the rats will get in. That is why it is very important to examine all aspects of your password (and other) security systems to see how they can, and will, be exploited. In my coming security posts I hope to discuss (and I do mean discuss, I do not know everything and I welcome comments and suggestions) application security and how we, as developers, are responsible for the code we write and how it can be exploited.