06) Do all of your organisation's applications and systems use industry best practice for authentication, including storing all user passwords as appropriate hashes?
Answer yes if your organisation ensures that all of its applications and systems (that are developed/built in-house) use industry best practice for authentication, and that all passwords are stored as hashes using secure hashing algorithms rather than as plain text.
What is it?
Authentication is one of the core tenets of information security. It is therefore important that it be implemented properly.
This means not just having suitable and effective authentication in terms of identifying users and appropriately complex credentials, but also ensuring the authentication mechanisms ensure the security of those credentials.
Most connections nowadays feature some form of encryption ensuring that data, including authentication data, cannot be intercepted over the network. Unfortunately, sometimes credentials are not stored safely on the servers themselves.
Password salting and hashing solves this problem by making it so that unencrypted passwords never need to be stored.
Why should I have it?
In order for a system to validate access to a user, it needs to know whether the password entered is correct. In the past, this was done by having a copy of the password on the system against which the system could compare what the user entered.
However, storing credentials on the system in plain text means they can potentially be compromised by anyone that has access to the system.
For this reason, current best practice dictates that passwords never be stored on the system.
Instead, systems should store a hash of the password. The hash is obtained by using a one-way hashing function, which converts the password at the time it is set on the system into a hash. It is virtually impossible to extrapolate the password from the hash (hence the “one-way” nature of the hashing algorithm).
The system takes the user-supplied password when the user later tries to log in, hashes it, and compares the hashes together instead, never needing to store an actual password and negating the possibility that they could be stolen off the system.
How to implement the control
A policy should be created mandating that passwords never be stored (or transmitted) in plain text.
In terms of implementation, there are many available authentication frameworks such as Django that can be used in your development efforts that implement most best practices for you. Should you need to do your own development, your policy should define which hashing functions to use as not all are currently considered effective.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing an SDLC that includes security best practice in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
