Tuesday, April 12, 2016

Manage your customer password

I am continuing my series of posts on security topics of primary interest to businesses, as I mentioned in my first post on this blog. Last month, I talked about how to manage your passwords online. In this post, I focus on making sure you are managing your customer's passwords carefully.

If your company requires any kind of login to your web site, you have the major responsibility of making sure those passwords are stored in a secure way. Over the last few years, we have seen in the news many data breaches that included the obtaining of databases of user accounts, which also included passwords. As was mentioned last month, many people use the same password at multiple web sites. If your database is compromised, would an attacker then be able to use your customer's passwords to compromise other systems, including banks, etc.?

What can I do to store a password securely?

There are several ways to store passwords. One is in the clear, or "open text" which means just what it sounds like - stored as it is saved by the user. This means there is no security at all. If you reset your password on a website and that company sends your password as a clear text value in the email, that company is not doing what it should to keep your data secure. I would consider canceling your account through them immediately.

Ideally, the recommended way to store a password is to store a "hashed password". This essentially means using a mathematical function that takes your clear text password and runs it through to get a result with a constant length. For example, your password: "SillyDog" may run through a hash function to produce "aP;v77a7blskda;fbblskd--". The great thing about hash functions is they are one-way only. You can't decrypt a hash function result, but instead the only way to know you have the right password is you compare the entered password by the user with the hash function result to verify it matches what was saved the first time you saved the hashed password. This makes sure the only person who knows the password is the user and not anyone else. Some other considerations is to use a random value with the user password, for example: 

hash ("random value" + "user password") = "hashed password" 

This will introduce some randomness in the collection of hashed passwords in case there are any duplicate passwords in the database that would resolve to the same hashed password. The way to know if a web site is using a method like this is they won't be able to send you your password for a password reset, but instead will ask you for other information to identify you and then let you create a new one. Remember, a secure password solution is one-way only and only the user, not the company, would and should know the password.

What else can we do?

Another great technique for protecting user accounts and logging in for the user is to use what's call two-factor authentication. The idea behind this is to use two or more methods of verifying a user account. Ideally this means using one of these two:

1. What you know (password)
2. What you own (a code sent to your mobile phone)
3. Who you are (biometric such as a thumbprint)

Lots of banks, Amazon, Google mail, and other services are using this method. For example, you would enter your password, and then a code is sent to your mobile phone that you must also enter to finally be logged into the system. There is a web site that lists what companies are providing two-factor authentication services: 


The details for how to set this up for your company is beyond what I can describe here. If you are concerned about the possibility of someone using your customer's password from another web site against your web site, using two-factor authentication will put a stop to it because they will also need to have that user's mobile phone in their possession as well. 

Next steps

Whatever method you use to store passwords securely for your customers, think carefully about how you manage those passwords and how you request them from the user. Give it some thought and consider the recommendations above. If I can be of help in setting up your own password policy, or evaluating it, please get in touch. If you have any general questions about passwords, please let me know below.

About Robert Hurlbut

Robert Hurlbut, owner of Robert Hurlbut Consulting Services, based in Enfield, CT, provides software security consulting, architecture, and training. This includes software development, threat modeling, secure code reviews, and other kinds of security audits for your company. If Robert can be of assistance to your company, please get in touch through the below contacts.

Web: https://roberthurlbut.com
LinkedIn: https://www.linkedin.com/in/roberthurlbut
Twitter: @RobertHurlbut


  1. That is thought provoking~~and sometimes disturbing!~~ information, whether we're the customer or the company. Good to learn it from you, Rob, and not at the School of Hard Knocks.