Over years of penetration testing, HALOCK has seen some enduring security vulnerabilities. They are so common, in fact, that we have come to expect to see them in the field. Many information security breaches occur because authentication vulnerabilities permit unauthorized access to applications, systems and data. If you were to follow these tips, our penetration tests would be much less fruitful (and that’s a good thing!)
- Ensure that user registration, especially self-registration on web applications, forces users to create a strong password. The riskier the data, the more complex the password should be.
- Encourage users (and application architects) to use long passphrases instead of hard-to-remember mixes of upper, lower, numerical, special character, 8-character-long passwords.
- Always change default credentials and disable unnecessary accounts before a system is deployed.
- Ensure that lock-out mechanisms limit the number of bad attempts, and disable accounts after a specified number of invalid authentication attempts. High-risk applications should require the end-user to verify their identity before their account is unlocked.
- Employ secondary mechanisms for forgotten password retrieval to ensure that only the legitimate users can request a reset.
- Always send passwords securely to prevent interception in transit. And be sure to avoid sending user names and passwords in the same delivery.
- Prevent methods for “workarounds.” For example, if there is no minimum password age, someone could indefinitely keep the same password even if it expires by simply changing it as many times as necessary…until the “remember previous password” threshold is exceeded, allowing it to be changed back to the original password by the user.
- Consider implementing Single Sign On (SSO) with a known, high-reputation system or partner. SSO can significantly reduce end-users’ burden of managing, remembering, and changing multiple passwords. Remember, your end-users are often your weakest vulnerability. Making things easy for them reduces your risk and theirs.
- Two-factor authentication, which introduces a second (or third) element to the authentication process, is highly effective at preventing unauthorized access as an attacker would need more than just a user’s password to impersonate them.
When all of the above controls are implemented, an attacker will have a hard time gaining access to your systems by targeting user accounts or brute force methods. Coupled with other preventive measures like Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) controls, you will have time to recognize if an attacker is trying to compromise your systems.