04 application security fundamentals - part 2 - security mechanisms - authentication
- 1. AUTHENTICATION Security Mechanism: Authentication Authorization Session Management Data Validation Error Handling Logging Encryption
- 2. Authentication Core Concepts Something you know Something you have Something you are A manner for identifying a user is who they claim to be. Two-Factor Authentication Leverage two of these methods for a single authentication transaction.
- 3. Authentication Words to Live By Enforce basic password security Implement an account lockout for failed logins “Forgot my password” functionality can be a problem For web applications, use and enforce POST method
- 4. Authentication Words to Live By: #1 Enforce basic password security • Minimum length enforcement • Require complex composition • Should not contain the user name as a substring • Users must be able to change password • Consider password expiration over time • Prevent reuse of some previous passwords when changed
- 5. Real World Example - Twitter
- 6. Good practices Minimum password length = 8 Passwords must contain characters from three of the following four categories: – uppercase characters (A through Z) – lowercase characters (a through z) – base 10 digits (0 through 9) – non-alphabetic characters (for example, !, $, #, %) Password must not contain the user's account name Maximum password age = 6 months Minimum password age = 1 day Password history = 12 passwords remembered
- 7. Authentication Words to Live By: #2 The problem – The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks. Implement an account lockout for failed logins
- 8. Real World Example - Twitter
- 9. Real World Example - eBay A famous example of this type of weakness being exploited is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction. Mitigations: Shorten the length of account lockout Don't show who the highest bidder is Don't expose user id, only expose name o Name should never be used as a key
- 10. Authentication Words to Live By: #3 The problem – The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. “Forgot my password” functionality can be a problem
- 11. Real World Example – Yahoo! & Sarah Palin Yahoo! email used three security questions: 1. Birthday 2. Zip code 3. Where she met her husband
- 12. Real World Example – Apple iForgot 1) iforgot.apple.com – enter Apple ID 2) Select authentication method – “answer security questions” 3) Enter date of birth 4) Answer two security questions 5) Enter new password 6) Password is reset Knowing someone’s Apple ID and DOB would allow construction of the URL after step #5. -------- The exploit was published on the day that Apple launched two-factor authentication for Apple ID accounts, which would have prevented the attack for anyone that had enabled it. Once activated, the feature replaces the security question based verification with a 4-digit code sent to the user's mobile device
- 13. Good practices Make sure any security question is hard to guess and hard to find the answer. The system must only email the new password to the email account of the user resetting their password. Assign a new temporary password rather than revealing the original password and force the user to set a new one. Avoid sending the password via email, but rather send a reset link with a unique token with enough entropy and with a short lifespan Consider throttling the rate of password resets so that a legitimate user can not be denied service by an attacker that tries to recover the password in a rapid succession.
- 14. Authentication Words to Live By: #4 The problem – The web application uses the GET method to process requests that contain sensitive information, which can expose that information through the browser's history, referrers, web logs, and other sources. For web applications, use and enforce POST method
- 15. Real World Example – Watchguard SSL-VPN