Coders Conquer Security: Share & Learn Series - Authentication
In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.
The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.
In this episode, we will learn:
- How some common authentication vulnerabilities are exploited
- Why they are so dangerous
- What policies and techniques can be used to eliminate authentication vulnerabilities.
How do Attackers Exploit Authentication Vulnerabilities?
There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.
The most common authentication vulnerabilities include:
- Having weak or inadequate password policies,
- Allowing unlimited login attempts,
- Providing information back to an attacker on failed logins,
- Sending credentials over insecure channels,
- Weakly hashing passwords,
- And having an insecure password recovery process.
Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.
A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.
Why are Authentication Vulnerabilities so Dangerous?
There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.
Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.
Eliminating Authentication Vulnerabilities
One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.
You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.
Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.
Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.
More Information about Authentication Vulnerabilities
For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]
Were going to cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.
The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.
In this episode, we will learn:
- How some common authentication vulnerabilities are exploited
- Why they are so dangerous
- What policies and techniques can be used to eliminate authentication vulnerabilities.
How do Attackers Exploit Authentication Vulnerabilities?
There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.
The most common authentication vulnerabilities include:
- Having weak or inadequate password policies,
- Allowing unlimited login attempts,
- Providing information back to an attacker on failed logins,
- Sending credentials over insecure channels,
- Weakly hashing passwords,
- And having an insecure password recovery process.
Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.
A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.
Why are Authentication Vulnerabilities so Dangerous?
There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.
Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.
Eliminating Authentication Vulnerabilities
One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.
You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.
Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.
Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.
More Information about Authentication Vulnerabilities
For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]
In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.
The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.
In this episode, we will learn:
- How some common authentication vulnerabilities are exploited
- Why they are so dangerous
- What policies and techniques can be used to eliminate authentication vulnerabilities.
How do Attackers Exploit Authentication Vulnerabilities?
There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.
The most common authentication vulnerabilities include:
- Having weak or inadequate password policies,
- Allowing unlimited login attempts,
- Providing information back to an attacker on failed logins,
- Sending credentials over insecure channels,
- Weakly hashing passwords,
- And having an insecure password recovery process.
Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.
A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.
Why are Authentication Vulnerabilities so Dangerous?
There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.
Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.
Eliminating Authentication Vulnerabilities
One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.
You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.
Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.
Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.
More Information about Authentication Vulnerabilities
For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn't do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.
The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.
In this episode, we will learn:
- How some common authentication vulnerabilities are exploited
- Why they are so dangerous
- What policies and techniques can be used to eliminate authentication vulnerabilities.
How do Attackers Exploit Authentication Vulnerabilities?
There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let's go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.
The most common authentication vulnerabilities include:
- Having weak or inadequate password policies,
- Allowing unlimited login attempts,
- Providing information back to an attacker on failed logins,
- Sending credentials over insecure channels,
- Weakly hashing passwords,
- And having an insecure password recovery process.
Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and "123456" and "password" are always in the top five. There are others. Administrators like to use "God" quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.
A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.
Why are Authentication Vulnerabilities so Dangerous?
There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn't matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.
Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.
Eliminating Authentication Vulnerabilities
One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like "password" but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.
You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.
Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won't know if they have been rejected because a user does not exist or due to having the wrong password.
Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.
More Information about Authentication Vulnerabilities
For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: [Start Here]
Table of contents
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Secure by Design: Defining Best Practices, Enabling Developers and Benchmarking Preventative Security Outcomes
In this research paper, Secure Code Warrior co-founders, Pieter Danhieux and Dr. Matias Madou, Ph.D., along with expert contributors, Chris Inglis, Former US National Cyber Director (now Strategic Advisor to Paladin Capital Group), and Devin Lynch, Senior Director, Paladin Global Institute, will reveal key findings from over twenty in-depth interviews with enterprise security leaders including CISOs, a VP of Application Security, and software security professionals.
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
Finding meaningful data on the success of Secure-by-Design initiatives is notoriously difficult. CISOs are often challenged when attempting to prove the return on investment (ROI) and business value of security program activities at both the people and company levels. Not to mention, it’s particularly difficult for enterprises to gain insights into how their organizations are benchmarked against current industry standards. The President’s National Cybersecurity Strategy challenged stakeholders to “embrace security and resilience by design.” The key to making Secure-by-Design initiatives work is not only giving developers the skills to ensure secure code, but also assuring the regulators that those skills are in place. In this presentation, we share a myriad of qualitative and quantitative data, derived from multiple primary sources, including internal data points collected from over 250,000 developers, data-driven customer insights, and public studies. Leveraging this aggregation of data points, we aim to communicate a vision of the current state of Secure-by-Design initiatives across multiple verticals. The report details why this space is currently underutilized, the significant impact a successful upskilling program can have on cybersecurity risk mitigation, and the potential to eliminate categories of vulnerabilities from a codebase.
Secure code training topics & content
Our industry-leading content is always evolving to fit the ever changing software development landscape with your role in mind. Topics covering everything from AI to XQuery Injection, offered for a variety of roles from Architects and Engineers to Product Managers and QA. Get a sneak peak of what our content catalog has to offer by topic and role.
Resources to get you started
Revealed: How the Cyber Industry Defines Secure by Design
In our latest white paper, our Co-Founders, Pieter Danhieux and Dr. Matias Madou, Ph.D., sat down with over twenty enterprise security leaders, including CISOs, AppSec leaders and security professionals, to figure out the key pieces of this puzzle and uncover the reality behind the Secure by Design movement. It’s a shared ambition across the security teams, but no shared playbook.
Is Vibe Coding Going to Turn Your Codebase Into a Frat Party?
Vibe coding is like a college frat party, and AI is the centerpiece of all the festivities, the keg. It’s a lot of fun to let loose, get creative, and see where your imagination can take you, but after a few keg stands, drinking (or, using AI) in moderation is undoubtedly the safer long-term solution.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
