Going All Guns Blazing: Enforce Strong Password Policies with Drupal
July 31 2018
6 min read
Ali Baba and the Forty Thieves, invented in the 18th century by the French Orientalist Antoine Galland, portrays the literary history of the password. The invocation, “Open, Sesame!” which was used in this classic tale to open the magically sealed cave enjoys a broad currency as a catchphrase today.
With the rapidly evolving digital space, password security is even more crucial and needs the right kind of strategic perspective with strong policies. Drupal, being one of the most secure platforms among the leading content management systems, can help in enforcing password policies with its enormous security-oriented abilities.
Password Policy: A Close Look
Password security was brought into the computing world through the invention of the Compatible Time-Sharing System and Unics (Unix) system. This was developed at the Massachusetts Institute of Technology and Bell Laboratories in the 1960s. The concept of the password was developed so that the users could only have the access to specific files in their allotted time of computer usage.
A password policy is a particular collection of rules that enables proper storage and utilisation of passwords, helps in the creation of dependable and secure passwords and enhances computer security. Commonly, it is part of the official regulations of an organisation and might be employed as a component of security awareness training.
On what basis can you formulate password policy? One of the best collection of guidelines for password policy comes from the National Institute of Standards and Technology (NIST) which is a part of the U.S. Department of Commerce. They have framed a set of Digital Identity Guidelines that provide a great basis on which password policy can be crafted.
The guidelines provided by NIST stresses on user-friendliness. It states that excessively onerous password policies often impacts negatively. For instance, if the users are forced to change their passwords every week, many of them would wind up choosing bad passwords.
Security has always been a compromise between allaying risk and convenience.
A research from Microsoft on password strategies suggests that simple passwords, which can be easily memorised, should be used for low-risk sites. Intricate passwords should be reserved for the sites where the security risks warrant huge repercussions. This suggestion is debatable but it illustrates the trade-off.
For instance, if your site involves users sharing fields of their pet dogs, you can have a lenient approach towards your password policy. Complex passwords may be used for sites where users access sensitive financial or healthcare-related data.
Can Drupal modules and configurations be used for implementing strong password policies?
Drupal’s rich security features for enforcing strong password policies
By default, Drupal offers guidance on how to make your password stronger. But it does not enforce any password policy out-of-the-box. In order to do that, it comes with a huge library of modules that can help in the enforcement of firm password policies.
Setting restrictions on password
Password Policy, a Drupal module, allows you to lay a set of requirements on passwords that are created by the users. These requirements comprise of length, digits, case, punctuation etc. For instance, you can set what sort of characters and in what amount could be used in a password. It also comes with a password expiration feature.
Setting composition rules
The Password Policy lets you set up intricate composition rules for the passwords. But another Drupal module, Password Strength, offers a user-friendly alternative to prescriptive composition rules. It offers real-time password strength measurement and server-side enforcement.
NIST guidelines suggest that spaces are permitted in passwords which can contribute towards more user-friendly policies when it comes to passphrases. Drupal allows spaces in passwords out-of-the-box.
In case, you do not need any special locks, you can disable the password strength check using a Drupal module called Password Strength Disabler and allow users to feel at ease while creating passcodes.
Avoiding hints and reminders
In case, your website requires hints and reminders, you can add an additional lock to the doors by incorporating security questions while logging in and resetting passwords. Security Questions, a Drupal module, helps you in achieving this numerous configurable options.
However, NIST guidelines suggest that it is better to avoid hints and reminders. Security questions which are fairly easy to guess can be used to compromise user accounts.
But Drupal offers another very useful module called Username Enumeration Prevention which can make it difficult for website hackers to find the usernames and attempt any brute-force attacks.
Leveraging authentication procedure
In case, you need more than one lock, the Two-factor Authentication module can come in handy. It provides an extra layer of security to the authentication procedure. This can be one-time passwords (OTP), codes sent through SMS, or pre-generated codes. It also allows integration with third-party services like Authy, Duo etc.
An authentication and authorisation infrastructure system, Shibboleth is capable of granting individual users with safe, anywhere, anytime access to resources which are available online. Shibboleth authentication, Drupal module, offers user authentication with Shibboleth.
This confrontation in the so-called shibboleth incident in the 12th chapter of the biblical Book of Judges delineates the earlier forms of password security:
“ ‘Say now Shibboleth’; and he said ‘Sibboleth’; for he could not frame to pronounce it right; then they laid hold on him, and slew him at the fords of the Jordan.”
Drupal does rate-limiting out-of-the-box. But there is no particular UI which exposes configuration that can be tweaked. Flood control, a Drupal module, allows you to limit the number of login attempts by using a convenient admin interface.
To take rate-limiting a step further, Login security module can be beneficial. It helps in limiting the number of invalid login attempts before blocking accounts or denying access by IP address temporarily or even permanently.
To facilitate the login attempts limitation by blocking out the sources of malicious requests, Fail2ban Firewall Integration module offers an automated firewall tool.
Enhancing login features
If your website is available via both HTTP and HTTPS, Secure Login module can ensure that your user login forms or other pages are transmitted via HTTPS. This keeps the passwords hidden from the prying eyes of hackers.
It is always appreciated when the user is given the convenience of using an all-in-one login. OneAll Social Login module allows users to sign in on your website using their social network accounts like Facebook, LinkedIn Twitter, Instagram etc.
In case, an user types an email address incorrectly in a sign-up form, he will not get any confirmation emails which can be troublesome. Email Verify module verifies whether the email address typed by the user exists or not.
Doing away with passwords altogether
What if you do not want to enter a password at all? The Passwordless module gives a possibility of logging in without using a password at all. So if a user has to log in, only the email address would be required. A login link will be sent to that email address which will be valid for 24 hours.
Outlining best practices of password policy
While Drupal is very efficacious in enforcing strong password policies, it is imperative to understand the best practices that can be adopted for incorporating intelligent password policy.
Adopting the 8 + 4 rule can be beneficial. You can use 8 characters with 1 upper-case and 1 lower-case, a special character like an asterisk and a number. Make it as random as possible. Also, make sure the numbers and symbols are spread out through the password to foil hackers.
Avoid using personal information like your birth date or last name etc.
Use different passwords for different accounts. This can be helpful if there are numerous computers in the same department.
Adopting passphrases in combination with symbols and numbers can be useful. For example, The Sun Will Rise Again Tomorrow. Also, keep the characters less in the passwords that are easier to remember.
You may consider not changing the passwords frequently and it is safer not to write them down anywhere.
Do not share the password over electronic media.
Add other barriers like two-factor authentication and multi-factor authentication.
Set a number that will lock the user out after few unsuccessful attempts.
Password security has evolved over the years in the digital arena. It is significant to have a strong set of rules while deploying password policies. They should not only assist users in avoiding bad passwords but aid in employing high entropy secure passwords. Drupal provides a superb platform to enforce strong password policies with its amazing set of modules.