Password Handling 101

The ‘101’ part of the title is unnecessary. I just added it, because why not?

This blog post will just be a set of rules and guidelines for storing passwords and making sure that the users credentials are safe.

The Password Entry Page

  1. Do not embed secure password pages on other insecure pages, this defeats the point of https in the first place. If you use https, make sure EVERYTHING on the website is loaded over https.
  2. Do not limit the type of characters that the user can input for their username/password. Limiting this encourages the user to have short and weak passwords that are easy to remember, which makes it easier for hackers to brute force the account open. It also shows that you have an inability to filter untrusted data, potentially making you vulnerable to SQL Injection attacks.
  3. Encourage your users create strong and long passwords, by implementing a password strength detecter, similar to the one on this website.
  4. Do not put pictures of locks on your page to say your site is secure. This is unnecessary. The person can see if it is secure or not by the padlock symbol on the browser.
  5. Do not publicly expose elmah logs. This can make your users vulnerable to session hijacking and ID Theft. There is a video by Troy Hunt about it here.
  6. Do not allow your users to have common patterns such as ‘123456789’ or ‘letmein’.

Storing Passwords and other information.

  1. Passwords should be hashed and salted using a secure hashing algorithm like SHA-512.
  2. NEVER encrypt passwords. Just dont! Encryption is useless for password security, because once the attacker has the decryption key, they can decrypt every single password one by one.
  3. Usernames are generally stored in plain text, as they do not pose any importance to hackers.
  4. Other information like emails, phone numbers and home addresses should be encrypted to protect the users’ personal information being leaked

Other things to consider

NEVER EMAIL PASSWORDS TO USERS. Passwords should never be emailed. Email is insecure, it can be intercepted by anybody. Emailing passwords to users also suggests that you either encrypt your passwords or store them in plain text. Both of which are insecure.

Instead of emailing a password, when the user forgets their password, you should just send out a 1-use only reset link. This will enable the user to change their password without the needing to send their password through email.


If you think I missed anything, please contact me about it using this link:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s