A password is meant to secure an asset against unauthorized access from an attacker.
In order to prevent someone from gaining access, the password must be hard to guess, and that means that it must be strong enough to avoid guessing based attacks (like dictionaries and brute-force).
Some heuristics to prevent a weak password are a combination of:
In order to prevent someone from gaining access, the password must be hard to guess, and that means that it must be strong enough to avoid guessing based attacks (like dictionaries and brute-force).
Some heuristics to prevent a weak password are a combination of:
- numbers
- special characters
- upper and lower case characters
- a minimum of 8 characters long
Statistics show that the most common password used by users are “password” itself and “123456” [Reference] A weak password can be used as an entry point for unauthorized users.
In other words, a website could be utterly secure in the way the passwords are stored, but if a user choose a weak password like “123456” or "password" then there is nothing that security can do about it.
In other words, a website could be utterly secure in the way the passwords are stored, but if a user choose a weak password like “123456” or "password" then there is nothing that security can do about it.
This article aims to talk about how should passwords be stored on a server, and how should not.
For instance, if you can avoid storing passwords on your server then do it. Let others do that job for you (Google, Facebook or Twitter). This is recommended if you are not a security expert. Maybe you are starting a new online project and want to let your users to login with a social network profile. By doing this you forget about storing passwords on your server, and despite that all of the previous sites have already been hacked, I am pretty sure that they will have a better understanding of secure password storage.
For instance, if you can avoid storing passwords on your server then do it. Let others do that job for you (Google, Facebook or Twitter). This is recommended if you are not a security expert. Maybe you are starting a new online project and want to let your users to login with a social network profile. By doing this you forget about storing passwords on your server, and despite that all of the previous sites have already been hacked, I am pretty sure that they will have a better understanding of secure password storage.