8 Authentication vulnerabilities

 

In this chapter

  • How attackers attempt to guess credentials on your web application by using brute-force attacks
  • How to stop brute-force attacks by implementing a variety of defenses
  • How to store credentials securely
  • How your web application might leak the existence of usernames, and why that’s bad

Many web applications are designed for interaction among users, whether that interaction is sharing cat videos or arguing about recipes in the comments section of the New York Times website. User accounts on websites represent our online presence, and as such, they have value to hackers. For some sites, the value is obvious: compromised credentials for banking websites can be used directly for fraud. Other types of stolen accounts can be used for marketing scams or identity theft.

If your website has a login page, you have a responsibility to protect the identity of your users. This responsibility means keeping their credentials—the information each user has to enter to gain access to their account—out of the hands of attackers. Let’s look at some of the ways attackers attempt to steal credentials and how to stop them.

Brute-force attacks

Single sign-on

OpenID Connect and OAuth

Security Assertion Markup Language

Strengthening your authentication

Password complexity rules

CAPTCHAs

Rate limiting

Multifactor authentication

Biometrics

Storing credentials

Hashing, salting, and peppering your passwords

Secure credentials for outbound access

User enumeration

Public usernames

Timing attacks

Summary