As long as enhance the technology, the threat for security in everywhere goes high. When we specially consider about the computer systems, the security threat will create extremely damage for both client-side as well your organization.
Now, when ever we are supposed to access a new application through internet, they are asking for a passwords. In that case you may have to create different passwords for different application. What the most people do is creating a same passwords for different systems which is not a good practice. Let’s think that a person called Joe use 4 web application and use same password for them. When one of 4 system got vulnerable, a third party can break that system and use stored password. So, think since Joe use same password for rest of 3 application, all his accounts are getting vulnerable more and more. The major objectives of providing security is to achieve,
- Confidentiality: Prevent unauthorized access for confidential information,
- Integrity: Protect data from unauthorized alterations and modifications,
- Availability: Ensure sensitive data is exists whenever authorized party needs to access it.
Here are basic instructions we can use to create new password for web applications which we used like Facebook, LinkedIn, Instagram, Pinterest and so on.
- Use more than 9 characters.
- Use numbers as well letters with both upper and lower cases.
- Use symbolic characters like @, !, $, % and so on.
Basically, security attackers in computer systems (known as hackers) used their intelligent to make a threat when ever they see a security vulnerability in your system. Therefore, as developer it is your responsibility to save your client’s system from these vulnerability attack.
These security threat can be divided in to 2 categories.
1. Technical threat:
Technical threats are created by hackers through the actions like SQL injection, Malware, Computer Viruses, Spyware, Scams and etc.
2. Non-Technical threat:
Remember that non-technical threats are capable of to provide huge damages on your systems too. Such as Social Engineering, Improper disposal of your paper-based works, Thefts, Natural disasters and even your employees/ contractors can make frauds on you.
As developers you must need to worry about both kind of problems in same portions. To develop the secure enough password for your sensitive data in developing or developed application we can use some tips.
- Use Password Manager systems too create the passwords: They have strong encryption mechanisms to encrypt and create your password. Even you have free password manager systems in internet and review them thoroughly via internet before use them.
- Use master password to get into your password manager. As much as we secure our master password, anyone will not b able to access our password which is created by password manager.
- Follow the best practices to choose the master password.
- Use multiple words (at least 5–10 words depends on your security) in your password which are not related to you (like your birthday, your relative names, your pet’s name and so on),
- Try to choose words which are not related to each other (ex: Mountain greedy form Truncate Issue),
- Use spaces between the words (Then you will not have any meaningful word even by merging them),
- Use numbers and character between different letters,
- Use words something does not exists,
- Use words with misspelled letters (Uropian instead of European
There is another method called which can use to choose our password is Dice where.
It maintains a huge number of words which are related to the 5 numbers.
ex: For 12152 word is amity.
Likewise, we can get a small dice and roll out it for certain time to get different words respect to the specific number. To get a word you have to roll-out the dice for 5 times. If you need to get 4 words you have to roll-out dice for 20 times (4 x 5). Then you can use again above mentioned best practices to make more strong your password.
5. Use 2-factor authentication technique or One Time Password (OTP) with your systems. Then users will receive different passwords for each login session.
What We Can Do To Avoid Them?
- Use always really strong passwords with your systems.
- Do encryption or hashing with your data(Salting).
In data encryption, we can protect the confidentiality by encoding data called ciphertext. It can be decoded with the unique key generated during time or encryption or beforehand. There are 2 types of encryption methods.
- Symmetric Encryption
Here, both the sender and receiver uses same private keys to encrypt and decrypt the confidential data respectively. Although it is faster than asymmetric encryption provides high vulnerability than asymmetric encryption. Types of symmetric key encryption:
- Data Encryption Standard (DES)
- Advanced Encryption Standard (AES),
- Cipher Block Chain (CBC).
2. Asymmetric Encryption
Here, sender uses one key (public key) to encrypt while receiver uses another key (Private key) to decrypt it. The specialty of this scenario is both keys are generated by receiver. Once receiver generates public key, send it back to sender. Then sender encrypt the data by using public key which is general for public while receiver decrypt it by using his own private key. Types of Asymmetric Encryption algorithms are:
- Rivest, Shamir, Adelman Algorithm (RSA),
- Diffie Hellman Algorithm,
- Digital Signature Algorithm.
In hashing, we use a mathematical algorithm to get a hashed values from our plain text. Hash values are fixed size bit values representation. Through the hash functions hash values can be generated. The hashed values can not decrypt. That means once you encrypt your data with hash values, you can not convert it back to the original values. Hashing ensures that your data or file has not been altered. The hashing algorithm provide the fixed length outputs. Hashing Algorithms are:
- SHA-1,SHA-256, SHA-512
Salting is used to prevent our system passwords from the brute force attacks. In the brute force attack is attacker trying every possibilities to get the numbers, symbols, letters combinations of a password. What it does here is it added some strange characters with our passwords or any other confidential information prior to hashing process.
- Always consider about the back-end as well front-end vulnerabilities of the system.
I hope you get a clear thought about which factors you need to consider about when you are designing passwords for your applications and systems to avoid the vulnerabilities.