The following list includes mitigation strategies you will want to present to your clients concerning secure password storage and transmission:
- Don't allow developers to hard-code credentials in apps.
- Hash stored passwords rather than storing them in plaintext.
- Use cryptographically strong hash functions, like SHA-256 and bcrypt.
- Avoid cryptographically weak hash functions, like MD5 and SHA-1.
- Use network access protocols that encrypt passwords in transit.
- For example, use SSH instead of Telnet, HTTPS instead of HTTP, FTPS instead of FTP, etc.
- Ensure network access protocols are using strong ciphers, like AES-256 and RC6.
- Avoid using network access protocols that incorporate weak cryptographic ciphers, like DES and 3DES.
- Disallow or reconfigure services that allow themselves to be negotiated down to a weaker cryptographic or protocol version.
- Ensure security solutions like IDS and data loss prevention (DLP) can monitor and manage unencrypted traffic in the network.