10 best practices to protect your users’ data (and why they’re still not sufficient)

Dimitri Merejkowsky on February 05, 2019

Over the last ten years, data breaches have become both more damaging and frequent. Massive leaks regularly make the headlines and hackers target... [Read Full]
markdown guide

Two points here:

  1. Please don't use an elaborate password policy. Policies like "8-16 characters, including one uppercase letter, one lowercase letter, and one number" are not useful. Instead, impose a minimum entropy of the password. Obligatory xkcd: xkcd.com/936/

  2. Even before you get to the actual security of data, you need to first ask how you mitigate a compromise. Wikipedia needs backups to restore in case the site is erased, but doesn't need to protect the data from being viewed. A CIA system for communication with agents, on the other hand, needs a plan for extracting those agents and any handlers that may be compromised, and then rebuilding the networks that were compromised.

Before you store any data, figure out what you need to do to make all parties whole. The cost of doing that determines what level of security you need.


Completely agreed on annoying password policies, but I think it's important to balance that with helping users who manage to reliably top the bad password lists!

I'd encourage websites who want to go the extra mile to integrate with the "Pwned Passwords" API of HaveIBeenPwned.com and high-quality password strength estimators like zxcvbn instead.


Requiring periodic rotations is another bit of conventional wisdom that makes sense until you remember that you're dealing with people. Password managers, minimum entropy requirements, and 2fa give a lot more bang for your buck overall; rotations can help in certain sensitive circumstances but they're a bad general remedy. Most users already find password management painful, and asking them to do it all over from scratch every few months introduces all kinds of opportunities for doing it poorly.


The best way to prevent losing users' data is not having it in the first place. Businesses are overly greedy collecting data and too lazy deleting it.


On point 2:

the 'wisdom' of this age is to not rotate passwords on time but when there are indications that it is needed.

see: nakedsecurity.sophos.com/2016/08/1...

to list the do not do's

  • No composition rules.
  • Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.
  • No password hints.
  • Knowledge-based authentication (KBA) is out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school...
  • No more expiration without reason.

I have came across some apps that does't do passwords but uses some alternatives to log users in.


  1. Login Links: Sends one time login link that expires after one use or after some time (Usually within couple of Hours.)

    • One drawback is that , users will have to go to / access their emails every time they want to log in.
  2. Entry Code: A 5-to-6 Digit One time code that users gets via Email or SMS and they use this code to Login to the app.

Other way is to Use Third party authentication like facebook or twitter, but in order to do that, said product must have already built trust among their users and even after that many users will not be comfortable of using their social logins.

code of conduct - report abuse