Web Application Security: Passwords Checklist
Web Application Security: Passwords Checklist is a guide to enforcing strong password policy and security best practices with your applications.
Web applications require multiple layers of security and passwords still play an important role when securing your web application.
Web Application Security: Passwords Checklist
Minimum Password Length
Set a minimum password length of 12 characters.
Maximum Password Length
Allow users to use passwords with 64 characters or more.
Change Passwords
Allow users to change their passwords.
Complexity Match Passwords
Require users to set passwords to a complexity match which at least has all of the following criteria: Uppercase, Lowercase, Numbers, and Symbols.
Store Password Using a Strong Hashing Algorithm
When storing password at rest, use strong one-way hashing algorithm/scheme along with a randomly generated salt per password.
Use Full Unicode Characters
Allow users to use the full Unicode character set.
Password Check
Verify that the password registered or updated by my users aren’t using a password found in the top 1,000 (or 10,000) breached passwords.
Password Strength Meter
Display to the user a “password strength meter” showing them the strength or their passwords. This provides the user feedback around the strength of their passwords.
NOTES:
– Don’t force users to periodically rotate/change their passwords
– Allow users to paste, use the browsers password helper, and user password managers while using my application
Passwords checklist has been submitted to us by Geekmasher based on the NIST 800-63 standards.
Related Checklists
NIST Password Best Practice Checklist
NIST or National Institute of Standards and Technology has established itself as a authority figure for best practices on security
Password Protection Checklist
Protect data with password protection on all your devices, laptops, computers, tablets and smartphones
Web Application Security: Passwords Checklist
Web Application Security: Passwords Checklist is a guide to enforcing strong password policy and security best practices with your applications.
