In the early days of computers and the web, security was a very straightforward and seemingly simple thing. You had two strings — a username and password — that served as access keys to virtually unlock a login screen or dialog box. The vast amount of connectivity we have today has changed everything, including practices with passwords. Therefore, it’s important to know the differences between current practices and ones that have fallen out of relevance.
Simply put, we have more of everything to secure nowadays: more websites, more devices. There are also far more avenues for those who want to do malicious deeds — faster internet connections, higher computing power to attack security, exponentially more apps and software that also increase potential loopholes and vulnerabilities, and formerly offline devices that are now connected to the internet (e.g. your smart TV, household appliances, car).
For the purpose of this article, we’ll be focusing on passwords and their use on the web. As part of keeping our standards high, Contentful will be increasing security requirements on passwords in 2019, so we’ll touch on that as well.
Authentication and authorization
The first step before we talk about passwords is to discuss two concepts that underscore the importance of having security in place. Authentication is when we make sure a user is actually the correct individual with the right of access to an account, while authorization, which comes after, defines what a user is able to do (for instance, which rights and permissions they have to features and functions).
Email verification, a practice that has been around for a long time, is a simple process that’s still relevant and effective for this purpose by ensuring the user has entered the right email address and is able to access said address. Subsequently, authentication is performed by having a user enter the correct combination of credentials, which is usually a username and password.
As part of authorization, users should be assigned the correct set of rights. This provides them with access only to areas which are relevant to their role, isolating their access rights and limiting potential damage from any rogue users or unauthorized third-parties in the event of a security breach.
Setting proper user rights also helps simplify the life of users by restricting or, better yet, hiding areas where they do not have access rights to — this facilitates a clean user experience that is free from clutter and distractions.
All down to the password
Every website and user interface you’ve dealt with, from your email to an online banking account, has varying requirements for what they want your password to look like (uppercase, lowercase, a minimum length, numbers, special characters, etc.). However, the traits of a highly secure password are actually far more less complex. This is due to changes in the landscape — more connected devices, more websites that require credentials and the modern methods of (automated) attacks.
Most hacking attempts that occur in today’s environment are automated — hackers commonly attempt to guess passwords for a known username by trying literally as many permutations as possible until they find one that works. This is known as a "brute force attack". This automated guesswork is facilitated by the computational power of high performance hardware, which is getting more powerful by the year.
The most straightforward way to thwart this guesswork would be to simply increase password length. Every additional character exponentially increases the number of possible permutations, leading to an exponential increase in the time and cost required to carry out a brute force attack. Adding different character types — uppercase, lowercase, symbols, numbers — has little to no impact on actual security compared increasing the overall length of a password.
The next best way to craft a secure password is to avoid reusing passwords (we’ll talk about this later) and easy passwords (which are regular words, names, guessable personal details, and the like). A reused password, even if compromised at a single location, can then be compromised anywhere it’s repeated. Easy passwords can be compromised by "dictionary attacks," a popular and successful type of brute force attack.
A good way to enforce password compliance is to provide live feedback when a user is in the process of creating or changing their password that prevents them from proceeding without first setting a password that satisfies high security standards.
Better password security at Contentful
In 2019, Contentful plans to introduce a new and improved password policy, enforcing all new users and password changes to comply with these new standards based on NIST (National Institute of Standards and Technology) guidelines:
At least eight characters long
Disallowing easy or compromised passwords, implemented via a cross-check against the haveibeenpwned API
Disallowing the reuse of the latest three passwords
Have I been pwned?
Data breaches from unintentional or intentional leaks, lack of encryption, hacks and crime have made the headlines of tech news on a more high profile, frequent basis in the last decade. These incidents have resulted in the compromise of personal information, passwords, financial information such as credit cards and bank details, and intellectual property into the hands of unauthorized parties.
Passwords are one of the higher risk pieces of information, as they can cause a domino effect of security compromises after they are breached. This is because of the high tendency of many users of reusing that same password (and usually, the same username and email address as well) across different websites, applications and machines.
Simply put, once a password and/or combination of the username and password has been compromised from one source, any other non-compromised avenues where that same password or combination is used would all be affected and put at risk.
The most interesting aspect of passwords, both at Contentful and in general tech security, is that there are now services that offer databases of compromised passwords and the security details of billions of account leaks. They are capable of analyzing data such as passwords against the database and alert users if they have already been compromised.
Have I Been Pwned is one such web-based entity. It has an API which uses a RESTful service to comb through compromised email addresses and passwords, and return their state of security. Such tools have a straightforward use case while providing a large impact to the benefit of users and their security in the immediate to short-term.
Minimize effort, maximize security
A step further would be to automate the compromise check above to run at preset intervals or, ideally, as compromises occur and are reported.
Incidentally, the practice of password expiration and forcing users to update their password every so often is now an arbitrary thing of the past. Passwords changes should be forced only when they are compromised — to force change based on a set interval without any reason inconveniences users and makes it more likely they might store their password in an unsafe place or risk getting locked out of their own account or device.
Speaking of password storage, password managers should be embraced by all organizations and users, both for work and personal logins. Password managers not only solve the safe storage needs (with their strong encryption and drastic reduction in username/password combinations users have to remember), but also take the burden off of users by automatically generating secure, unique passwords.
Securing the future
One of the first lines of defense in keeping yourself, your personal information and accounts safe on the web is to create secure passwords. The subject of passwords is often a murky one, thanks to the numerous and differing requirements of creating passwords we’ve seen in different places over time — but it doesn’t have to be this way.
As we’ve highlighted, creating a secure password isn’t a difficult process, and modern tools such as password generators and password managers help make it easier and safer for you to keep track of your credentials. Contentful will soon update password requirements to elevated levels for your security and privacy, and will continue doing so over time as the security landscape demands it.
We've recently launched two brand new data sheets detailing Contentful's vulnerability management and security incident response. For more information about these data sheets, please talk to your Contentful sales contact or account manager.