3 Ways To Properly Set Up Secure Password Authentication
How can you make your password authentication more secure?
It’s often debated whether passwords will continue to be the most common method of authentication in use in the near future. However, the truth is that while they may not be the most secure option, they aren’t going anywhere until we have a better solution for regular authentication.
They are easy for developers to set up, easy for users to understand, and easy to change in the event of a problem. Because they are so prevalent, though, hackers have become very good at exploiting them.
Therefore, it is crucial to set up your password authentication securely. Here are three ways to make your organization’s password authentication more secure:
Embrace Complex Passwords
A more complex password may be slightly more difficult to remember, but the increased security is worth committing an extra character or two to memory.
All passwords should have a minimum length (at least 8 characters) and use a combination of lower case, upper case, digits, and special characters.
Reject Common Passwords
Data breaches are such a common occurrence these days that hackers have terabytes of previously used user credentials, stolen from services and websites.
A common attack technique is to use these captured passwords, many of which meet standard complexity requirements, against current accounts, with the expectation that many of these passwords may still be in use.
Many legitimate services exist today that allow website owners to check proposed user passwords against some of these databases of breached accounts.
Our recommendation is haveibeenpwned.com, which implemented a secure algorithm to check the password without revealing the password to the remote service. Alternatively, you can download a list of common passwords to your server and validate the password locally. Just be sure to update your list occasionally!
Use Multi-Factor Authentication
Authentication is based on one of three things: something you know (e.g. password, security question); something you have (e.g. ID card; badge); or something you are (e.g. fingerprint; iris scan).
Multi-factor authentication utilizes at least two of these categories. Passwords are something you know. So, many multi-factor implementations will also send a text message, push notification, or email to the target user, thereby also utilizing the “something you have” factor.
If you’d like six more simple security steps to implement for better website security, download our free resource: 7 Steps To Website Security Worth Bragging About.