The following list includes mitigation strategies you will want to present to your clients concerning secure password storage and transmission:

  • Don't allow developers to hard-code credentials in apps.
  • Hash stored passwords rather than storing them in plaintext.
  • Use cryptographically strong hash functions, like SHA-256 and bcrypt.
  • Avoid cryptographically weak hash functions, like MD5 and SHA-1.
  • Use network access protocols that encrypt passwords in transit.
  • For example, use SSH instead of Telnet, HTTPS instead of HTTP, FTPS instead of FTP, etc.
  • Ensure network access protocols are using strong ciphers, like AES-256 and RC6.
  • Avoid using network access protocols that incorporate weak cryptographic ciphers, like DES and 3DES.
  • Disallow or reconfigure services that allow themselves to be negotiated down to a weaker cryptographic or protocol version.
  • Ensure security solutions like IDS and data loss prevention (DLP) can monitor and manage unencrypted traffic in the network.