If you’re someone that’s worried about the security of the web sites you use, whether it’s for personal reasons or as a business partner, you can’t help but be concerned about how other sites manage passwords. Password security is but one aspect of web site protection, but it’s very public-facing. The recent LinkedIn hacks are troubling, to say the least, and LinkedIn is only the more recently-visible site to suffer the hacker’s scrutiny. Sadly, it happens all of the time.

Now, it’s easy for all of us to blame LinkedIn, or any web site that has had their passwords hacked. However, if you really want access to the site secured, you should initiate (and monitor) minimum password strength levels. Your first pet’s name probably isn’t going to cut it. Mine was “Kitty”…you see my point.

Web sites can enforce this, but at Red e App we do not. But we don’t because we chose to allow each app user to decide for themselves what password strength is appropriate for them. If “Kitty” is good enough for the individual, we’ll allow it.

For enterprise consumption, though, this probably isn’t good enough. We leave that decision to the enterprise partner. Local enterprise policy should be authored, followed, and enforced.

But you may be interested to know that here at Red e App we hash all passwords using SHA-1 after adding a series of cryptgraphically-random “salt” bytes (nonsense values that serve to increase the complexity of the password and help prevent successful hacks). It’s unwise to ever claim a site is not hackable . . . but this technique for securing passwords has been proven to be the most secure of any alternatives we could have chosen.

And, no, my personal Red e App app password is not “Kitty”!

Kenn Scribner
Red e App Director of Platform Engineering