Password perfection – Keeping users safe

With the user data of over 70 operators from across the UK entrusted to them, Bournemouth-based technology company Passenger ensures they keep ahead of changing security developments and ensure best practice in all processes with frequent software testing and staff training. 

Keeping passwords and personal information safe and protected from outside intruders is a critical priority for any business. Beyond enforcing users to choose strong passwords that adhere to industry best practice, with Passenger products there’s a great deal that goes on behind the scenes that works hard to keep user data safe.

Passenger Platform Lead, Alex Ross, explains some of the steps taken to make sure user’s passwords – the gatekeepers stopping unauthorised users accessing personal information – are created following best practice to be super-safe.

Password hashing

“As a first step, Passenger never stores passwords in clear text. Following best security practices, we use an algorithm that produces a ‘salted hash’ – a scrambled version – of a password that can be stored securely. We then regenerate the salted hash from the user’s password at login and compare it with the one stored in our user account database” explains Alex.

“Hashing passwords is one of the most critical parts of a good security system. In 2020 we upgraded our password hashing mechanism to always automatically use the best available method. The current implementation uses the recommended libsodium’s Argon2 algorithm, which also helps prevent brute force attacks (such as those seen after a data breach)”.

Pwned passwords service

“Password reset functions for Passenger apps and websites use Troy Hunt’s Pwned Passwords service – a database of millions of real-world passwords previously exposed in data breaches and at greater risk of being used to take over user accounts. When creating passwords, users are told that they can’t use a password that appears in the database and are asked to choose another”. 

For extra security, the Troy Hunt service interfaces with the Pwned Password database using the K-anonymity model, allowing a password to be searched for with just a partial hash. 

“We send the first 5 characters of the user’s hashed password to the Pwned Password service and never send passwords outside of our user account systems. Pwned Passwords then sends us back a large list of hashes that match those first 5 characters and we can check that list for the presence of the known password.”

Passenger also shares official password guidance from the UK’s National Cyber Security Centre with users, to provide direction on setting up passwords that will remain uncompromisable and keeping any personal or financial information safe and secure. 

Of course, user security and passwords are just one aspect of data protection, and Passenger will be sharing more information on different security tools and practices throughout the year.