Coders Conquer Security: Share & Learn Series - Authentication11th April 2019
In this blog we will cover one of the most common problems faced by organizations that either run websites, or which allow employees to remotely access computer resources - which is pretty much everyone. And yes, you probably guessed that we are going to be talking about authentication.
If a hacker can simply log into a system as an administrator with a valid user name and password, then there is no need to deploy advanced techniques to battle network defenses. The system simply opens the door and lets the attacker inside. Worse yet, if the attacker doesn’t do anything too outlandish, their presence is almost impossible to detect since most defenses will simply see them as a valid user or administrator doing their job.
The category of authentication vulnerabilities is quite large, but we will go over the most common problems that tend to get accidentally baked into user login processes. By shoring up these holes, you can eliminate the vast majority of authentication problems from your organization.
In this episode, we will learn:
- How some common authentication vulnerabilities are exploited
- Why they are so dangerous
- What policies and techniques can be used to eliminate authentication vulnerabilities.
How do Attackers Exploit Authentication Vulnerabilities?
There are quite a few authentication vulnerabilities that might creep into an authentication system, so hackers exploit each one a little bit differently. First, let’s go over the most common vulnerabilities and then give examples demonstrating how a couple of them might be exploited.
The most common authentication vulnerabilities include:
- Having weak or inadequate password policies,
- Allowing unlimited login attempts,
- Providing information back to an attacker on failed logins,
- Sending credentials over insecure channels,
- Weakly hashing passwords,
- And having an insecure password recovery process.
Having a weak password policy is likely the most common vulnerability. If users are allowed to create passwords with no restrictions, far too many of them will use easily guessable ones. Every year various computer news organizations put out a list of the most used passwords, and “123456” and “password” are always in the top five. There are others. Administrators like to use “God” quite a lot. True, those are all either humorous or easy to remember, but also very easy to guess. Hackers know what the most common passwords are, and try them first when attempting to breach a system. If those kinds of passwords are allowed in your organization, you will get breached eventually.
A less obvious but still dangerous vulnerability is providing information back to a user regarding a failed login. This is bad because if you return one message when a user name does not exist and another when a user name exists but the password is bad, it allows attackers to map out valid users on a system and concentrate on guessing passwords just for those user names. If this is combined with the authentication vulnerability that allows unlimited password guessing, it would enable attackers to run dictionary attacks against whatever valid users they have found, which might get them into a system fairly quickly if the password is easy to guess.
Why are Authentication Vulnerabilities so Dangerous?
There is a classic tale from the American Old West about a paranoid homesteader who installed triple locks on his front door, boarded up his windows and slept with lots of guns in easy reach. In the morning he was found dead. His attackers got to him because he forgot to lock the back door. Authentication vulnerabilities are a lot like that. It really doesn’t matter what kind of monitoring tools or proactive controls you have in place or how many expert analysts you employ if an attacker can use a valid user name and password to enter your network.
Once inside, there are very few restrictions on what that attacker can do. So long as they act within their user permissions, which can be quite extensive if they have compromised an administrator account, there is very little chance that they will be caught in time to prevent serious problems. This makes the authentication class of vulnerabilities one of the most dangerous to have on any system.
Eliminating Authentication Vulnerabilities
One of the best ways to eliminate authentication vulnerabilities from a network is to have good, globally enforced password policies. Not only should users, even administrators, be restricted from using passwords like “password” but should be forced to add in a level of complexity that would make it unfeasible for an attacker to apply a dictionary or common phrases type of attack. You can come up with your own rules for password creation based on the importance of the system being protected. Doing that will make it much harder for attackers to guess or brute-force passwords.
You should also restrict the number of failed login attempts so that if an incorrect password is entered more than, say three times, the user is locked out. The lockout can be temporary as even a few minutes delay will prevent automated dictionary attacks from continuing. Or it can be permanent unless the account is unlocked by an administrator. In either case, security personnel should be alerted whenever such a lockout occurs so they can monitor the situation.
Another good way to prevent attackers from gathering information is to craft a generic message whenever either a bad user name or password is entered. It should be the same for both cases so that hackers won’t know if they have been rejected because a user does not exist or due to having the wrong password.
Authentication vulnerabilities are among the most common and dangerous on most systems. But they are also fairly easy to find and eliminate.
More Information about Authentication Vulnerabilities
For further reading, you can take a look at the OWASP authentication cheat sheet. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues’ gallery of other threats, visit the Secure Code Warrior blog.
Step up and face an authentication vulnerability head-on in the Secure Code Warrior platform: