Password Management and Authentication Best Practices
 
                                  
                Attackers are always looking for new ways to crack passwords and gain access to sensitive information. Keeping passwords secure is a challenging, yet critical task. Read this blog to learn several best practices for password management and authentication so you can keep your environment safe.
It’s no secret that attackers are constantly looking for new ways to gain unauthorized access to accounts. To that end, attackers aggressively target systems for managing and resetting passwords and for user management – especially user registration – and authentication. In fact, according to the most recent Verizon Data Breach Investigations report roughly 49% of breaches involved the use of stolen credentials. A security mistake in any of these password- and user-management steps can leave the door open for an attacker and cause disastrous consequences.
While there are many tactics to safeguard credentials and keep your environment safe, we’ve called out three key tactics below.
Use a strong hashing algorithm
Hashing is the process that transforms a user's plain-text password into a complex and unique password. The hashing process applies a mathematical formula, known as a hashing algorithm, to the password, generating a random, fixed-length value that is then stored in the organization's database. The result is like a unique fingerprint, called the digest, that cannot be reverse-engineered to uncover the original password. The next time you log in, the website computes the hash in the same manner and compares it to the stored value. If they match, you’re granted access to the account.
To protect passwords, we suggest using a strong algorithm such as Bcrypt or Argon2. In addition, organizations should always “season” passwords with salt and pepper. Salting is a randomly generated string added to each hashed password. For additional security you can also add some pepper -- another random string that is added to a password before hashing -- to the same hashing algorithm. Passwords should always be salted prior to hashing them. For more information about this process, read our new “Password, Authentication & Web Best Practices” whitepaper.
Implement multi-factor authentication (MFA)
User and password authentication is a fundamental, widely used method for authenticating users trying to access digital systems. It requires a user to present a combination of two or more credentials to verify their identity before logging into an account. This means that unauthorized users would have to compromise more than one credential to gain access.
There are multiple methods for implementing MFA, such as authenticating with a unique link; a time-based, single-use password; and text message, email or push notifications. The best method of implementation will vary depending on the unique needs of the organization. Regardless of the method you choose, implementing MFA will add an extra layer of protection to help protect user credentials.
Create a firm password policy
Finally, let’s take it back to the basics. Organizations should create policies that require the use of strong passwords. This is one of the first lines of defense your organization has. There are many important requirements for creating a strong password policy, but we highlight two below.
First, prohibit the use of weak passwords and the continued use of default credentials -- such as a username and password combination that’s “admin/admin”. For more tips on strong passwords, check out this Cybersecurty and Infrastructure Security Agency (CISA) blog.
Second, while users must ensure they use strong passwords, application architects and developers should use safe approaches when dealing with user credentials. For example, they can eliminate the use of hard-coded secrets. Also called embedded passwords or hard-coded passwords, these are plain-text passwords or sensitive information such as encryption or API keys, that are embedded directly in source code and that, if exposed, can allow attackers to bypass authentication. For more information on hard-coded secrets, check out this article from OWASP.
To get a lot more details about this topic, download our free white paper “Password, Authentication & Web Best Practices Whitepaper.”
- Exposure Management
 
           
           
                     
                    