If you are not already familiar with the concept of Weak Authentication, we suggest you review the article entitled “What Is Weak Authentication ?“.
For insight into how to detect Weak Authentication vulnerabilities, please see the article entitled “How To Test For Weak Authentication“.
Preventing Weak Authentication
Best Practices To Avoid Weak Authentication vulnerabilities include:
- Adopting a strong Password Policy and enforcing it consistently in all applications
- Using Two-Factor or Multi-Factor Authentication when the risk level warrants it
- Integrating an industry standard authentication framework
- Adding Risk-based Authentication and escalating challenges as circumstances warrant
- Ensuring that authentication is a pre-condition to access all application resources
- Keeping the authentication token secure and limited in lifetime
Protecting Against Password Cracking
In addition to a Password Policy it is necessary to protect the application against password cracking. This can be accomplished in a number of ways:
- Introducing increasing delays in response to contiguous authentication failures. That is, implement D = F(N) where:
- D is the delay before redisplaying the login screen
- N is the number of contiguous failed authentication attempts
- F is a function that yields an ever increasing D as N increases
- Displaying an “anti-robot” challenge in response to a series of N contiguous authentication failures. There are numerous “Captcha” solutions for free and purchase. Simple home-grown solutions can also be developed.
- The user account can be temporarily locked after some predefined number of contiguous authentication failures.
Authentication Frameworks
There are a number of open and proprietary standard solutions to the problem of authentication, and there is little reason to create your own from scratch, The reader is encouraged to review the following options, noting that some are language specific:
- HTTP Digest Authentication
- Java Authentication and Authorization Service (JAAS)
- ASP .NET Security Architecture
- Database Authentication for PHP Apps
- Security Assertion Markup Language (SAML)
- OpenId
- Open Authentication Framework (OAuth):
For additional information, we encourage you to review the OWASP Authentication Cheatsheet.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.