Blog: How Tos

8 ways to be great at password management, and protect your customers

consultant-placeholder10 Ken Munro 13 Mar 2014

The recent survey published by Dashlane reminded me of a similar survey I did for the Guardian back in 2008.

I don’t remember the exact details of test cases I used, but I do clearly remember trying the forgotten password feature on each one of 100 major online UK retailers (after laboriously creating accounts on each!).

I was gobsmacked to find that just over half emailed the password back in clear text, so the newspaper merrily published a double page spread quoting this and the rest of my research.

A few retailers got the arse with me, but was that really justified? In order retrieve the password in clear text, it cannot be one-way hashed with a decent algorithm when stored. The hashing is either reversible, or not present at all.

So if the password table wasn’t being properly hashed, what chance that customers other personal details were protected well?

And sending passwords in clear text email? Surely we were beyond that, even in 2008? That was 5 years after the TK Maxx credit card theft scandal that catalysed creation of the PCI DSS.

So I sat down with one of my colleagues to remind myself of good password reset security process. Here’s what @pjvenda and I came up with; a reasonable stab at good practice, though all have pros and cons:

  1. Don’t reset the users password immediately on submitting the forgotten password form. Mail them a link, only reset it when the link is clicked and the reset page is landed on. If not, the hacker can potentially create a denial of service by scripting a wide-scale reset of your valid customer account passwords.
  2. Don’t allow enumeration in the forgotten password form. Return generic errors, not ‘this account doesn’t exist in our database’, otherwise you make the above attack much easier. Also, if the username is the customers email address, you will leak your customer contact addresses though mining of the form. Phishing for passwords, here we come…
  3. Before you allow the password to be reset, ask for another item of data. Ideally a pre-shared secret question, or at the very least an item of data that the customer isn’t going to forget. Bear in mind addresses etc. are available online for anyone to look up…
  4. Make sure that reset link or token is one-time only.
  5. If you do set a temporary password for the user, your app must force it to be changed on first use.
  6. When storing passwords, one-way hash them. Even if the hashes are stolen, it’s a slow process to crack complex passwords, even using Hashcat.
  7. Enforce a good password policy. Consider password length, use of alphanumerics, case and special characters.
  8. Don’t leave password reset requests “alive” forever, they can be abused. Find a sensible duration, maybe a few hours, and set the reset to expire then.

Obviously no-one wants password complexity and management to get in the way of someone setting up that account or making that transaction, but there is always a middle ground. If you don’t, your customer will re-use passwords from other sites, then the 3rd party gets hacked, hashes get stolen, cracked, then your customer accounts get compromised.

Plenty of e-commerce sites offer links to Verisign and other root CAs to attempt to prove they are secure during the checkout process.

So why not link to a free password vault too, whilst the customer is creating a password on your site?

It’s the ideal time to capture them, when they’re thinking about passwords and security. Maybe it will reduce the order completion rate a little, so perhaps give them a reminder after the transaction is completed instead.

Guess what: Dashlane make password vault/wallet products. What a surprise. No wonder they ran that survey!

Plenty of others around though, e.g. LastPass, KeePass and one probably came with your anti-virus security suite.