- Credentials or authentication tickets passed in clear text
- Weak password policies
- Passwords stored insecurely
- Ineffective or lacking password complexity check
- Cookie Replay Attacks
- Dictionary Attacks
- Network Eavesdropping
- Password Brute Force Attacks
Valency Networks is a Pune, India based firm providing detailed penetration testing (pen-test) services to detect such vulnerabilities. Based on the findings, we suggest one or more of the following are a set of countermeasures which could be incorporated to thwart such attacks.
Countermeasures to counter authentication attacks include:
Encrypt credentials over the wire.
Avoid sending plain-text credentials over the wire. If you must send credentials over the wire, encrypt them to help protect them if they are captured during a network sniffing attack.
Protect authentication tokens
Encrypt authentication tokens over the wire. Use an encrypted channel (for example by using SSL) to prevent an attacker sniffing authentication tokens and using them in cookie replay attacks.
Enforce strong password policies.
Enforce password complexity requirement by requiring a a long passwords with a combination of upper case, lower case, numeric and special (for example punctuation) characters. This helps mitigate the threat posed by dictionary attacks. If possible, also enforce automatic password expiry.
Store password hashes (with salt) instead of the passwords or encrypted passwords.
If you implement Forms authentication, don't store user passwords if the sole purpose is to verify that the user knows the password value. Instead, store a verifier in the form of a hash value and re-compute the hash using the user-supplied value during the logon process. Avoid storing encrypted passwords because it raises key management issues-you can secure the password with encryption, but you then have to consider how to store the encryption key. Combine password hashes with a salt value (a cryptographically strong random number), to mitigate the threat associated with brute force attacks and dictionary attacks.