Should we block compromised passwords and require 2FA?
Since Practical Laravel Security is a security course, my security auditor brain wants me to make the course platform as secure as possible. That includes blocking compromised/pwned passwords by default and require 2-Factor Authentication (2FA) on all accounts...
Both of these requirements are becoming more common across the internet, and since my aim is to teach you how to secure your apps by teaching you secure habits and behaviours, it made sense to me to encourage you towards secure account behaviours within PLS.
So I put it to my Twitter and Mastodon/Fediverse communities to see what everyone thought. This is the Tweet/Toot/post I put out:
Building the app for my Laravel Security course and I'm thinking of requiring 2FA on all accounts and blocking Pwned Passwords. 🤔 It's a security course, so forcing solid security practices on users seems like a good idea to me. 😎 Any reason why I shouldn't?
I received some interesting feedback, which is worth going and reading through. Feel free to jump into the discussions in the threads too if you want to contribute. 🙂
The general consensus was:
Blocking compromised/pwned passwords is OK if it's explained properly.
Requiring 2FA will turn some people off, so should be avoided without further education.
Taking this feedback into account, and my own personal experience, I've decided that PLS will be blocking compromised passwords by default, but won't be requiring 2FA initially.
Compromised / Pwned Passwords
For those who haven't heard of it before, compromised or pwned passwords are passwords which have been exposed in a data breach. This means they are known working passwords that are no longer unique, and hackers use them constantly to try to log into user accounts. By blocking these known compromised passwords, it significantly reduces the risk of a hacker from gaining access to user accounts.
We'll cover how to check for compromised / pwned passwords in detail within the Passwords module in the course (spoiler alert: it's pretty easy!). We'll also discuss the benefits of why you want to block them and also some reasons for not doing so.
Ultimately, what this means for you is: when you sign up to PLS, you'll need to use a unique random password for your account.
Modern browsers generate random unique passwords and store them securely for you (or you can use a Password Manager like 1Password), so you shouldn't have any trouble with this step.
2-Factor Authentication (2FA)
2FA, also known as MFA and 2SA, is another important security precation that prevents account compromise. We'll dive into what it is, how it works, and why it's so important in the 2FA module of the course. Hopefully the term is familiar to you, but if not, you should be familiar with one-time SMS tokens or even apps like Google Authenticator. These are all implementations of 2FA.
Since 2FA isn't as commonly understood, we'll be keeping it optional when you first create an account in the PLS system. You'll be able to enable 2FA if you want, but you won't be forced to do so.
However, there will be a 2FA module within PLS. When you get to this module, you will be required to set up 2FA on your account. The idea being that you'll learn how it works and then be in a good position to enable it.
For those more familiar with MFA options, I am working with a friend to implement their exciting new authentication package (yes security people like myself get excited about weird things!) into PLS. This will bring app-based 2FA, alongside WebAuthN for U2F hardware tokens (like YubiKeys), device biometrics, and even Passkeys (which should provide an elegant passwordless login flow!). It's all very exciting! 😁
Finally... Don't forget about the Presale!
Practical Laravel Security is currently open for presales, while I build out the system and get everything ready. The presales are heavily discounted from the full price, so if you're interested in the course, now is the time to grab it at the best price.