quarta-feira, 24 de abril de 2019

Security: Passwords and more...

... passwords. A list of the 100000 most common of them BTW:
https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere

Quoting:
"I'm a developer. What should I do with these files?

If your product is unlikely to have access to the internet when deployed (or you don't want to rely on an external service), you can include a check against one of these files in your authentication flow. It's up to you how you handle cases where the password matches one of these, but you should enable users to use tools such as password managers.

If you can make use of an external service, there are options such as Troy Hunt's Pwned Passwords API. Troy has written a really good blogcovering how different companies have implemented this feature, that may help you to design your own flow.

Alternatively, look at ways to reduce the load on your users by looking at alternative authentication flows (like supporting single sign-on), and by keeping an eye on upcoming standards such as WebAuthn - we'll have more on this in the future."