Skip to main content

Posts

Showing posts from July, 2012

Password Security Recommendations

User credential / Password Security. Recent security related embarrassment at Yahoo, LinkedIn and Sony has only proved that securing user information needs more considerations. Security is not a product rather a process. First identifying how username/password can be leaked and its price. Basically there are four ways an adversary can find out username/password for one or more accounts stored on the server.  1. Password guessing - Assuming adversary knows username for one or more accounts and they can       deploy dictionary attack to find correct password.  2. Adversary eavesdropping on user network ( Man in Middle Attack)  3. Adversary getting access to user computer through some virus/worm  4. Adversary getting access to username/password table or system on the server. Password Guessing : Fix :   Max invalid attempts strategy should be deployed, i.e. temporary lock the account after 4 or 5 invalid password attempt. Cons :   Inconveniences to user, user