The internet has undeniably brought a myriad of benefits to our lives, making it easier than ever to connect, share, and learn. However, these benefits come with a price. Our digital identities, personal information, and financial data are constantly at risk of being compromised. One of the primary culprits? Weak, commonly used passwords.
If you’re an app developer, security is always on your mind. You’ll also know your secure APIs are only as strong as your user’s passwords, and users who aren’t tech-savvy pick horrible passwords!
In Appwrite 1.3, we released two new features to help mitigate this risk and protect user data. Password History in combination with Password Dictionary prevent common pitfalls when users are faced with the need to set or update their passwords. In this post, we’ll show you how Appwrite’s Password Dictionary can prevent a potential data breach in your app.
⛔ The Problem: Commonly Used Passwords and Data Breaches
To understand the extent of the problem, let’s take a look at some real-life examples of data breaches caused by commonly used passwords.
The Yahoo Data Breach (2013-2014)
In 2013 and 2014, Yahoo suffered two massive data breaches affecting over 3 billion user accounts. While the breaches were orchestrated by a state-sponsored hacker group that used various sophisticated techniques, the use of weak passwords by Yahoo users exacerbated the situation. Once the hackers had access to Yahoo’s databases, they were able to crack and compromise many user accounts more quickly and easily because a significant portion of the users had weak, commonly used passwords.
An analysis of the leaked data revealed that many users relied on simple, easily guessable passwords like “123456,” “password,” and “qwerty.” These weak passwords made it easier for the attackers to use brute-force or dictionary attacks to crack them, thus providing an open door for attackers to compromise user accounts and gain unauthorized access to personal information.
The LinkedIn Data Breach (2012)
In 2012, LinkedIn suffered a data breach that affected 167 million user accounts. Again, weak passwords played a significant role in the breach. A staggering 65% of the leaked passwords were easily crackable due to their simplicity or their appearance on common password lists. This breach not only highlighted the importance of strong, unique passwords but also the need for organizations to protect users from themselves by implementing better security measures.
These examples demonstrate the risks associated with using weak, commonly used passwords. But what can be done to mitigate this problem?
🔐 Introducing Password Dictionary
A password dictionary is a tool designed to help address the issue of weak, commonly used passwords. It is essentially a large database of commonly used passwords that are considered insecure. When a user attempts to set a new password, the password dictionary checks if the proposed password is on the list. If it is, the user is prompted to choose a different, more secure password.
The newly introduced password dictionary in Appwrite adds an additional layer of security for user accounts. By preventing users from setting commonly used passwords, the password dictionary:
- Reduces the risk of password-based attacks
- Encourages stronger passwords
- Enhances overall system security
By default, the Password Dictionary is disabled. To enable it, head over to the Auth section in your project and look for the Security tab in the top navigation bar.
Scroll down to find the Password Dictionary settings and enable it. Password Dictionary will now be enforced for all new users that sign up as well as when users try to update their passwords.
⏭️ What’s next?
As we continue to rely on digital services in our daily lives, it is crucial for individuals and organizations alike to prioritize security. By making strong, unique passwords the norm rather than the exception, we can all contribute to a safer and more secure digital world.
You can learn more about Password History, which is another security measure to protect users from reusing their old passwords and all the other cool features added in the latest version of Appwrite in our announcement post.