Proper Password Management within the Datacenter
As consumers continue to put more of their data in “the cloud,” following best security practices is vital to ensuring that your business is able to stay compliant with regulations and also maintain the trust of your customers. For this guide, the focus is on best practices to implement within your code to maintain PCI compliance. For professionals in regulated industries such as finance, legal, or medical you will still need to speak with an expert as the best practices for those industries are more complex.
Rather than focusing on specific applications, this guide is centered on high level techniques which can be applied across systems with ease. This ensures that regardless of your system operating system or control panel software, this guide will be applicable. For a wealth of information on this topic, the Open Web Application Security Project (OWASP) has a wealth of cheat sheets on different aspects of digital security.
High Level Best Practices
Before delving into the technical side of securing passwords, there is one key point you need to keep in mind:
Don’t limit the character set permitted for user passwords (i.e. blocking symbols and special characters). Although character limiting is commonly done to prevent SQL injections, cross site scripting and other injection based attacks, it leaves your users vulnerable to brute force attacks.
A more efficient way to prevent these attacks is to use the following methods:
- Minimize the permissions assigned to application databases so they only can do what is necessary to function
- Minimize the permissions of the operating system which is used to run live database systems
- Validate all input to ensure that it is appropriate – for example a password field shouldn’t have international characters and Windings symbols
- Ensure that you use appropriate escaping techniques included in your database provider libraries
Use an Appropriate Hash
One of the most important points of proper password management is that you never should store a password as plaintext. Although the actual process of hashing will vary depending on the programming language your software is written in, one of the most common hashing algorithms for passwords is SHA-1.
SHA stands for “Secure Hash Algorithm” and the series of algorithms was created by the United States National Institute of Standards and Technology.
Although this guide is focused around password storage, since many datacenters house related sensitive information, aside from SHA, the mcrypt library allows developers to implement encryption of data with minimal changes to their code.
Hashing With Salt
The biggest weakness of hashing alone is that the algorithms hash every password the exact same way. This means plain hashes can be reversed by using lookup tables, reverse lookup tables, and rainbow tables.
To prevent this, you can implement salting to add a random factor to the way passwords are secured. This is crucial because as many internet users only have a single password for all their services, by implementing this technique, you can give your users more time to secure themselves after a breach.