Password complexity constraints, yes or no
I was going through best practice for password constraints. Happened upon nist guidelines where they discourage complexity constraints and instead suggest depending on length (minimum of 8) and blocklist , password generators etc.
https://pages.nist.gov/800-63-4/sp800-63b/passwords/
Is it better to not enforce any "must contain special character" constraints then?
Also should you trim spaces at the end and start of password before hashing? For username i tend to do it but I'm not sure.
Or do I just set validation that informs the user that spaces at the end or start of password are not allowed.
Or just let the user enter it like that
62 Replies
I would enforce length longer than 8 at this point, and check if they used other info like email or their name, and a disallowed passwords list that is the top X most common passwords, maybe even with a lehvenstein distance calculation. Maybe a check for often repeated characters?
But if security is important, enforce two factor
For blocklist and the distance calculation would it be better to depend on an auth service like auth0, firebase etc or you can also self host that.
Not sure if that's a bad idea.
Currently security isn't as important I'm just building throwaway project for learning but it'll be useful in future
I'd suggest writing it in such a way that it would be easy to wrap a third party service, but if you know what you're doing you totally can write your own auth
it's one of those things that you should only do if you know why you shouldn't
i will say this: if you can implement oauth, do it
either a facebook login, google login or something
why? i don't believe you're ready to handle passwords
handling passwords is honestly the least scary part 😛
the storage is
i can see already imagine
no it's not
a whole table full of plain text passwords
Also should you trim spaces at the end and start of password before hashing? For username i tend to do it but I'm not sure.
I already know to never store password. I always only store the hash
which hash do you use?
use a recently recommended hashing algorithm library and you're fine. Or if you're using PHP, just use the built-in one that auto-updates with PHP
bcrypt for now because argon npm package was giving me issues
do you use a custom salt?
Bcrypt auto generates a salt if you don't give it any i think. For now I set the salt round to 14 and let it handle the salt.
Probably not that good
it's actually the right answer
don't give it your salt
it's usually best to leave those things up to the library you're using, yeah
Oh okay
php even deprecated the option of passing a salt because people were passing low-quality salts, or were passing the same salt to all passwords
are you passing a pepper to the hash?
I'm not no. Don't know the concept of pepper
basically, you have salt and pepper
salt is the pseudo-random generated bit that bcrypt does
pepper is something static, that's the same for all passwords, that you append to the password
So take the password. Append the pepper to it. Then let bcrypt salt and hash that?
someone with just a dump of the database can't get the passwords back because the pepper is on the code side, and all passwords are even harder to crack
precisely
How do you keep track of the pepper?
Like not lose it in case you migrate somewhere else
well, it's a secret, like a database password
handle it the same way, but, don't change it
Gotcha.
Also a random tangent. If storing password is bad how do password managers do it
i can't tell you how all password managers work
Nah I was just wondering if there's a general technique they use to avoid damages in case of breach
but keepass has 2 layers of encryption:
- encryption for the master key
- encryption for the password based on the master key
More out of curiosity. I'm obviously not gonna store password myself
you can, if you hash them
i was wrong, and you seem to be able to handle them yourself
Yeah. I did the auth with odin project and they already highlighted why it was bad to store passwords plainly and to instead hash them
Master key is probably random right? At least for every user
no, master key is derived from your password
it's what you use to unlock
oh, wait, no, you're right
i am still sleepy
master key is randomly generated, and encrypted using your password
Gotcha
it's an awesome scheme
https://en.wikipedia.org/wiki/KeePass#Offline_security <-- it's explained here
KeePass version 2.x introduces a third option—dependency upon the current Windows user.
Is this like windows hello where you gotta input user password or just be logged in as the user themselves. I assume later but you need password to login in the first place so similiar enoughno, it means that only that windows user can decrypt the password
Ah okay gotcha makes sense. Thanks
Oh damn it was in the screenshot itself I didn't read that
🤣
that happens
I don't think jochem finished answering this
Unless his "use a recent hashing algorithm" comment was about it
that's it
in php, there's a constant that defines the latest algorithm to use
So I don't need to care that extra space at the end or start of password can be a user error then
and it even has a simple way to re-check if the password needs to be rehashed to update to the new algorithm
google removes the spaces
So should I remove them then? Spaces between characters shouldn't be removed according to nist
But nothing for at start or end
it's up to you
personally, i never removed
but you can remove from the start and end
Probably the most user friendly option would be to throw an error to the user saying that trailing spaces at start or end aren't permitted
And just reject the attempt
that reveals information about the password
and is super unfriendly
Oh damn yeah
Why super unfriendly tho? Because they need to retype?
yup
and you know how password fields are
Yeah. makes sense. Thanks again
you're welcome
fwiw I think the spaces thing is because folks will request a new password and then copy/paste it sloppily from the email they got
or cp/p it from a password storage document
trimming the spaces (or rahter trimming all whitespace) would make it work consistently even if folks are sloppy with copy/pasting
(but sending even temporary passwords over email is a bad practice, generally you want to send reset links with expiration times)
^ this is extremely important
yup, mostly copy-pasted from emails, which is scary
You mean OTP? Don't they also have expiry time?
OTP is something different, that's a multifactor thing
I mean sending a password reset link to the user rather than sending a new, temporary password
the password reset link then has a validity window (usually something short like 15 minutes), after which you have to rerequest it
I haven't seen that yet. Do sites actually use that if you don't have 2fa set?
you haven't seen sites that send a password reset link?
Not password reset. I mean temporary password
oh! It's not as common anymore, but some still do it
Gotcha
it's also easier to implement, especially if you already have a mechanism for expiring passwords
but yeah, bad for security
Got it. Thanks for the explanation