Web security: passwords

Eleventh post in the web security series.

Some thoughts about passwords:

• Don't use passwords! If there is no need for your users to create an account on your website, don't force them to do so. For instance an eCommerce website must not make account creation mandatory, there is no need for it.
• Still don't use passwords! If you can use a third party decentralized authentication system like OpenID, BrowserID, WebID… do it.
• Obviously your login form MUST be over HTTPS (as the rest of your website).
• Never send passwords (by email or anything).
• If you create a default password for the user, force the user to change it the first time the user uses the website.
• Set the minimum length to a high enough value (a minimum of 12 characters being recommended).
• Do not limit the maximum length (the stored version of the password will always be the same length whatever the password length is).
• Allow any characters.
• Force usage of different kind of characters (for instance: at least one letter, one number, one "special" character…).
• Make the password expire (but not too often).
• Never store the password in plain text: use a cryptographic hash function. Typically store the result of hash(salt + password) where salt is cryptographically random data of the same size (in bits) as the hash result (in bits) and that is different for each user (you can store the salt in plain text as it's not a secret information, you will need it to verify the password). Don't use hash functions MD5 or SHA-1 as they are too weak, at least use SHA256, SHA512. Still, simple hashing functions like that are not good enough either because they are fast to compute. Use specialized algorithms like bcrypt or scrypt with a big enough work factor.
• Do the hashing on the server side.
• Compare the 2 hashes in constant time (in order to prevent guessing).
• Block the user account after repeated failures (after 3 consecutive failed attempts for instance) in order to protect against brute force attacks.
• Forbid the most common passwords.
• If possible, compile "leaked" accounts from other websites and prevent users to use the same credentials on your website.

Note:

• Salted Password Hashing - Doing it Right
• Enough With the Rainbow Tables: What You Need to Know About Secure Password Schemes
• Enough With the Salts: Updates on Secure Password Schemes