Blog

Coders Conquer Security: Share & Learn Series - Authentication

Jaap Karan Singh
Published Apr 11, 2019

In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.

If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.

The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.

In this episode, we will learn:

  • How some common authentication vulnerabilities are exploited
  • Why they are so dangerous
  • What policies and techniques can be used to eliminate authentication vulnerabilities.

How do Attackers Exploit Authentication Vulnerabilities?

There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.

The most common authentication vulnerabilities include:

  • Having weak or inadequate password policies,
  • Allowing unlimited login attempts,
  • Providing information back to an attacker on failed logins,
  • Sending credentials over insecure channels,
  • Weakly hashing passwords,
  • And having an insecure password recovery process.

Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.

A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.

Why are Authentication Vulnerabilities so Dangerous?

There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.

Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.

Eliminating Authentication Vulnerabilities

One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.

You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.

Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.

Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.

More Information about Authentication Vulnerabilities

For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.

Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]

View Resource
View Resource

Were going to cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.

Interested in more?

Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Jaap Karan Singh
Published Apr 11, 2019

Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.

Share on:

In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.

If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.

The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.

In this episode, we will learn:

  • How some common authentication vulnerabilities are exploited
  • Why they are so dangerous
  • What policies and techniques can be used to eliminate authentication vulnerabilities.

How do Attackers Exploit Authentication Vulnerabilities?

There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.

The most common authentication vulnerabilities include:

  • Having weak or inadequate password policies,
  • Allowing unlimited login attempts,
  • Providing information back to an attacker on failed logins,
  • Sending credentials over insecure channels,
  • Weakly hashing passwords,
  • And having an insecure password recovery process.

Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.

A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.

Why are Authentication Vulnerabilities so Dangerous?

There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.

Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.

Eliminating Authentication Vulnerabilities

One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.

You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.

Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.

Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.

More Information about Authentication Vulnerabilities

For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.

Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]

View Resource
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.

In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.

If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.

The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.

In this episode, we will learn:

  • How some common authentication vulnerabilities are exploited
  • Why they are so dangerous
  • What policies and techniques can be used to eliminate authentication vulnerabilities.

How do Attackers Exploit Authentication Vulnerabilities?

There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.

The most common authentication vulnerabilities include:

  • Having weak or inadequate password policies,
  • Allowing unlimited login attempts,
  • Providing information back to an attacker on failed logins,
  • Sending credentials over insecure channels,
  • Weakly hashing passwords,
  • And having an insecure password recovery process.

Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.

A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.

Why are Authentication Vulnerabilities so Dangerous?

There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.

Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.

Eliminating Authentication Vulnerabilities

One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.

You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.

Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.

Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.

More Information about Authentication Vulnerabilities

For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.

Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]

Access resource

Click on the link below and download the PDF of this resource.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
Share on:
Interested in more?

Share on:
Author
Jaap Karan Singh
Published Apr 11, 2019

Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.

Share on:

In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.

If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.

The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.

In this episode, we will learn:

  • How some common authentication vulnerabilities are exploited
  • Why they are so dangerous
  • What policies and techniques can be used to eliminate authentication vulnerabilities.

How do Attackers Exploit Authentication Vulnerabilities?

There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.

The most common authentication vulnerabilities include:

  • Having weak or inadequate password policies,
  • Allowing unlimited login attempts,
  • Providing information back to an attacker on failed logins,
  • Sending credentials over insecure channels,
  • Weakly hashing passwords,
  • And having an insecure password recovery process.

Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.

A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.

Why are Authentication Vulnerabilities so Dangerous?

There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.

Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.

Eliminating Authentication Vulnerabilities

One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.

You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.

Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.

Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.

More Information about Authentication Vulnerabilities

For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.

Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]

Table of contents

View Resource
Interested in more?

Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts