Enforce Password Strength Rules on Your Users
Now that we’ve covered storage, let’s talk about the password itself. Most users aren’t security conscious, so you have to help the user when selecting a password. The table is a top-ten list of the most popular passwords from 2014[49] It’s obvious that people don’t really think about account security.
| Position | Password | 2014 Rank | | | Position | Password | 2014 Rank |
|---|---|---|---|---|---|---|
| 1. | 123456 | Unchanged | | | 6. | 123456789 | Unchanged |
| 2. | password | Unchanged | | | 7. | 1234 | Up 9 |
| 3. | 12345 | Up 17 | | | 8. | baseball | New |
| 4. | 12345678 | Down 1 | | | 9 | dragon | New |
| 5. | qwerty | Down 1 | | | 10. | football | New |
Don’t let your users use common dictionary passwords, because your high-tech security measures are useless if the user is using monkey (position 12) or letmein (position 13) as a password. When the user selects a password, compare the string against a known dictionary of common passwords to make sure it isn’t weak. You can easily find lists of common passwords[50] with a simple online search. The following example uses one such list to validate if the selected password exists in a dictionary:
| | 'use strict'; |
| | |
| | var fs = require('fs'); |
| | |
| | var dictionary = {}; |
| | |
| | // Since we are doing it only once on startup then use sync function |
| | fs.readFileSync(__dirname + '/data/dictionary.txt', 'utf8') |
| | .split(' ') |
| | .forEach(function (password) { |
| | dictionary[password] = true; |
| | }); |
| | |
| | // This function will return an error message if the password is not good |
| | // or false if it is proper |
| | module.exports.isImproper = function check(username, password) { |
| | |
| | // About 3 percent of users derive the password from the username |
| | // This is not very secure and should be disallowed |
| | if(password.indexOf(username) !== -1) { |
| | return 'Password must not contain the username'; |
| | } |
| | |
| | // Compare against dictionary |
| | if(dictionary[password]) { |
| | return 'Do not use a common password like: ' + password; |
| | } |
| | return false; |
| | }; |
The more complete the dictionary, the better protection against weak passwords it will provide, but even the smallest dictionaries with just 500 common passwords would provide some protection.
To further increase password security, you should force the user to select stronger passwords. Instead of forcing the user to create passwords with special characters that are hard to remember, have them select longer passwords. Long passwords are easier to remember and offer better security because the resulting hashes take a longer time to crack.
Depending on the nature of the application, I also suggest the user should be forced to change passwords periodically, whether that’s once a month, once a quarter, or even twice a year. This limits the timeframe in which attackers can try to break in with stolen passwords. And they have to start over and recrack the new password after every change. If you do require users to change their passwords, don’t let them use previously used passwords. Just keep the previous hashes and compare the hash of the new one to make sure the user isn’t trying to reuse the password.
Force users to use longer passwords, disallow common passwords, and change them periodically. These three tips will help keep data stored by your application safe.