Skip to main content

Password Security Recommendations


User credential / Password Security.


Recent security related embarrassment at Yahoo, LinkedIn and Sony has only proved that securing user information needs more considerations. Security is not a product rather a process.

First identifying how username/password can be leaked and its price.

Basically there are four ways an adversary can find out username/password for one or more accounts stored on the server.

 1. Password guessing - Assuming adversary knows username for one or more accounts and they can
      deploy dictionary attack to find correct password.

 2. Adversary eavesdropping on user network ( Man in Middle Attack)

 3. Adversary getting access to user computer through some virus/worm

 4. Adversary getting access to username/password table or system on the server.



Password Guessing :

Fix :
  Max invalid attempts strategy should be deployed, i.e. temporary lock the account after 4 or 5 invalid password attempt.
Cons :
  Inconveniences to user, user will endup locking and changing passwords frequently
  Attacker can easy mass lock accounts using DOS (block such IP's)
Note: Encrypting passwords at server side or securing Servers will not save one from this attack.

Man in Middle Attack :
Fix :
   Enable SSL/TLS (HTTPS) minimum 128 bits, this will take care of message security and integrity.
Note : Any secure system should function on TLS otherwise it will send all communication in plain text  and this communication will be freely available to everyone in middle (Local Network, ISP etc)

Key-logger / Worm :


Adversary can easily get access to username/password via installed keylogger/worm/virus on a user computer.
Fix : Application should email notify or track user logins from all IP's and alert user whenever a new IP is used.


DB Leak


  Adversary can get access to database containing one or more username/password either through electronic hack, or through an unhappy employee or physical server room job.

This is major embarrassment! destroys organization brand, value and trust.

Fix :
  Salt and Hash both Username/Password (i.e. one way encryption). Random salts should be stored on a separate system other than where username/passwords are stored.

These were the very high level things one needs to consider when designing security strategy.

If you are interested more details evaluations feel free to contact me on LinkedIn.















Comments

Post a Comment

Popular posts from this blog

Access multiple Databases in JPA

According to JPA specification we can define multiple "persistence-unit" elements (i.e. like below) in persistence.xml file and can easily refer them inside Dao layers as this. public class PolarDaoImpl {     @PersistenceContext(unitName="PolarPU")     protected EntityManager entityManager; -- } public class BearDaoImpl {     @PersistenceContext(unitName="BearPU")     protected EntityManager entityManager; -- } Checkout sample persistence.xml <?xml version="1.0" encoding="UTF-8"?> <persistence version="2.0" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd">     <!-- Database 1 -->     <persistence-unit name="PolarPU" transaction-type="RESOURCE_LOCAL">        ...
3 comments
Read more

Validating CSV Files

What is CsvValidator ?   A Java framework which validates any CSV files something similar to XML validation using XSD. Why should I use this ?   You don't have to use this and in fact its easy to write something your own and also checkout its source code for reference. Why did I write this ?   Some of our projects integrate with third party application which exchanges information in CSV files so I thought of writing a generic validator which can be hooked in multiple projects or can be used by QA for integration testing. What is the license clause ?   GNU GPL v2 Are there any JUnit test cases for me checkout ?  Yes,  source How to integrate in my existing project ? Just add the Jar which can be downloaded from here  CsvValidator.jar  and you are good. Instantiate  CsvValidator c onstructor which takes these 3 arguements          // filename is the the file to be validated and here ...
7 comments
Read more
               Top 10 Apps missing in HP TouchPad Without these Apps my experience is only limited to browsing web pages, though WebOS is really better multitasking device than iOS but without commonly used Apps it's only limited. 1. Native YouTube App   - You can't just use finger to do everything on 60% YouTube.com                       2. Netflix - I love to do multitasking, with Netflix running and ability to do other stuff     3 Facebook - Most of the people always like to be connected all the time here   My Mistake Skype Video is working     4  Skype - Ability to do voice and video chat, and without this I need to keep my Mac on.   5 Google Talk - Ability to do voice, video chat...
16 comments
Read more