The purpose of authentication is to confirm that a user is who they say they are. The authentication example most of us are familiar with is when signing-in to a website using a username and password. The username part of this combination is who the user claims to be. While the password is a way to confirm they are who they say they are. The website will verify the two pieces of information provided. If the password supplied matches the password for the username, sign in will be allowed. If the password doesn’t match, sign in will be denied.
You can see that for anyone who possesses those two pieces of information, it would be possible to successfully claim to be someone else and impersonate their identity. This is why as a user we keep passwords secure by:
- Not reusing – Across different sites, services and applications
- Not writing down – On a Post-it note or in an email
- Avoiding the obvious – None of the most common
- Not sharing – With colleagues or family members
- Going long – The longer the password length, the harder it is for someone guess
Methods for securing accounts and passwords
There are other methods of securing your user account and password. Some of the following will be familiar. Also included are solutions that systems and organisations often implement to reduce the reliance on password methods and improve account protection.
- Multi-factor authentication (MFA) – Require an additional piece of information that only the user has access to. This is often a one-time passcode (OTP) that is sent to the user by a SMS text message, email or generated by an app.
- Single sign-on (SSO) – Using a single set of credentials to access multiple services and applications. A common example of this is when you have signed into your work machine. You’re not prompted to sign in again when accessing applications and services that you use on a regular basis. This is because you have already authenticated with Active Directory. With more and more organisations making the move to cloud platforms, extending on-premise credentials to Azure Active Directory means that the same set of credentials can also be used to access online services such as Office 365 and other web-based applications that support Azure Active Directory authentication.
- Account lockout – To protect against brute force password attacks some applications and services will lock an account after a certain number of repeated failed sign in attempts due to incorrect credentials. This is to deter an attacker from submitting multiple password combinations in the hope that they will eventually find the correct one to gain access. The account lockout might be temporary and automatically unlock after several minutes. Alternatively, it might be permanent and require manual intervention to unlock. The main purpose is to slow down attempts and discourage attacks by increasing the amount of time it takes so that it is not worth continuing with.
- Securing passwords in transit – Using HTTPS to secure the connection between the user and web application to ensure all data transmitted, including passwords, cannot be intercepted. Making sure the correct SSL/TLS version is used to encrypt HTTPS connections should not be overlooked either. TLS 1.2 is the current recommendation. Many online services have been dropping support for TLS 1.0 and 1.1 over the past 12 months.
- Securing passwords at rest – Passwords need to be stored somewhere, often in a database, so that when users do sign in, the password entered can be verified. You should never store passwords as plaintext. Instead, you should hash passwords before storing. Note that we are referring to hashing passwords rather than encrypting. Hashing is a one-way process whereas encryption is a two-way process. This means you can retrieve the original plaintext value through decryption.
Further guidance on authentication
In the UK, the NSCS provide guidance on different approaches to consider when reviewing password policies.
In the US, the NIST updated their password guidelines recently and this article by Auth0 has useful breakdown of the publication.
And for the more technical audience, OWASP provide an authentication cheat sheet that includes guidance on authentication and password best practices.