![]() ![]() This doesn’t even have to be a dictionary word. A known common password sequence takes less than a millisecond to crack. ![]() Just to give you some preamble related to passwords… You should definitely be triggering a security event if this is happening. Ideally throttle attempts or even better temporarily ban the source IP. Do not allow unlimited amounts of bad passwords attempts.At least that way you can offer Multi-Factor Authentication (MFA) and they are more likely able to keep user data safe. Single Sign-on (SSO) from Active Directory or Google/Facebook sign-in. Use OpenID Connect or OAuth2 if possible E.g.The, “ Password Storage Cheat Sheet” from OWASP is a really good resource to make sure you handle passwords in the correct way. Encryption requires you to store a key which is problematic if someone gains access to the key. Encryption is a two way function whereas hashing is a one-way function. It’s preferable to hash a password instead of encrypting it.Although hashing with SHA is marginally better you are still not securing user passwords!.Hashing passwords with MD5 is not securing user passwords!.Never store passwords and sensitive data in code repositories.Never store passwords and user data locally on servers.Some advice to developers in relation to user data and in particular passwords: It will notify you if any site has been hacked where your credentials have been stolen. using OAuth2, use it! It may not seem safe but they will be more likely to keep your personal data safe than the site you are signing into. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |