Skip to main content

Posts

Showing posts from July, 2012

Password Security Recommendations

User credential / Password Security.
Recent security related embarrassment at Yahoo, LinkedIn and Sony has only proved that securing user information needs more considerations. Security is not a product rather a process.

First identifying how username/password can be leaked and its price.

Basically there are four ways an adversary can find out username/password for one or more accounts stored on the server.

 1. Password guessing - Assuming adversary knows username for one or more accounts and they can
      deploy dictionary attack to find correct password.

 2. Adversary eavesdropping on user network ( Man in Middle Attack)

 3. Adversary getting access to user computer through some virus/worm

 4. Adversary getting access to username/password table or system on the server.



Password Guessing :

Fix :
  Max invalid attempts strategy should be deployed, i.e. temporary lock the account after 4 or 5 invalid password attempt.
Cons :
  Inconveniences to user, user will endup locking and changi…