Coders Conquer Security: Share & Learn Series - Authentication
In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.
The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.
In this episode, we will learn:
- How some common authentication vulnerabilities are exploited
- Why they are so dangerous
- What policies and techniques can be used to eliminate authentication vulnerabilities.
How do Attackers Exploit Authentication Vulnerabilities?
There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.
The most common authentication vulnerabilities include:
- Having weak or inadequate password policies,
- Allowing unlimited login attempts,
- Providing information back to an attacker on failed logins,
- Sending credentials over insecure channels,
- Weakly hashing passwords,
- And having an insecure password recovery process.
Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.
A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.
Why are Authentication Vulnerabilities so Dangerous?
There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.
Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.
Eliminating Authentication Vulnerabilities
One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.
You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.
Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.
Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.
More Information about Authentication Vulnerabilities
For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]
Were going to cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoJaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.
The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.
In this episode, we will learn:
- How some common authentication vulnerabilities are exploited
- Why they are so dangerous
- What policies and techniques can be used to eliminate authentication vulnerabilities.
How do Attackers Exploit Authentication Vulnerabilities?
There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.
The most common authentication vulnerabilities include:
- Having weak or inadequate password policies,
- Allowing unlimited login attempts,
- Providing information back to an attacker on failed logins,
- Sending credentials over insecure channels,
- Weakly hashing passwords,
- And having an insecure password recovery process.
Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.
A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.
Why are Authentication Vulnerabilities so Dangerous?
There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.
Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.
Eliminating Authentication Vulnerabilities
One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.
You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.
Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.
Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.
More Information about Authentication Vulnerabilities
For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]
In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.
The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.
In this episode, we will learn:
- How some common authentication vulnerabilities are exploited
- Why they are so dangerous
- What policies and techniques can be used to eliminate authentication vulnerabilities.
How do Attackers Exploit Authentication Vulnerabilities?
There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.
The most common authentication vulnerabilities include:
- Having weak or inadequate password policies,
- Allowing unlimited login attempts,
- Providing information back to an attacker on failed logins,
- Sending credentials over insecure channels,
- Weakly hashing passwords,
- And having an insecure password recovery process.
Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.
A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.
Why are Authentication Vulnerabilities so Dangerous?
There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.
Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.
Eliminating Authentication Vulnerabilities
One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.
You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.
Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.
Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.
More Information about Authentication Vulnerabilities
For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoJaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.
The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.
In this episode, we will learn:
- How some common authentication vulnerabilities are exploited
- Why they are so dangerous
- What policies and techniques can be used to eliminate authentication vulnerabilities.
How do Attackers Exploit Authentication Vulnerabilities?
There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.
The most common authentication vulnerabilities include:
- Having weak or inadequate password policies,
- Allowing unlimited login attempts,
- Providing information back to an attacker on failed logins,
- Sending credentials over insecure channels,
- Weakly hashing passwords,
- And having an insecure password recovery process.
Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.
A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.
Why are Authentication Vulnerabilities so Dangerous?
There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.
Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.
Eliminating Authentication Vulnerabilities
One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.
You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.
Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.
Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.
More Information about Authentication Vulnerabilities
For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]
Table of contents
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Deep Dive: Navigating the Critical CUPS Vulnerability in GNU-Linux Systems
Discover the latest security challenges facing Linux users as we explore recent high-severity vulnerabilities in the Common UNIX Printing System (CUPS). Learn how these issues may lead to potential Remote Code Execution (RCE) and what you can do to protect your systems.
Coders Conquer Security: Share & Learn - Cross-Site Scripting (XSS)
Cross-site scripting (XSS) uses the trust of browsers and ignorance of users to steal data, take over accounts, and deface websites; it's a vulnerability that can get very ugly, very quickly. Let's take a look at how XSS works, what damage can be done, and how to prevent it.