8 Authentication vulnerabilities
In this chapter
- How attackers attempt to guess credentials on your web application by using brute-force attacks
- How to stop brute-force attacks by implementing a variety of defenses
- How to store credentials securely
- How your web application might leak the existence of usernames, and why that’s bad
Many web applications are designed for interaction among users, whether that interaction is sharing cat videos or arguing about recipes in the comments section of the New York Times website. User accounts on websites represent our online presence, and as such, they have value to hackers. For some sites, the value is obvious: compromised credentials for banking websites can be used directly for fraud. Other types of stolen accounts can be used for marketing scams or identity theft.
If your website has a login page, you have a responsibility to protect the identity of your users. This responsibility means keeping their credentials—the information each user has to enter to gain access to their account—out of the hands of attackers. Let’s look at some of the ways attackers attempt to steal credentials and how to stop them.