Account Management
Troy Hunt
troyhunt.com
@troyhunt
Outline
Understanding password strength and attack vectors
Limiting characters in passwords
Emailing credentials on account creation
Account enumeration
Denial of service via password reset
Correctly securing the reset processes
Establishing insecure password storage
Testing for risks in the “remember me” feature
Re-authenticating before key actions
Testing for authentication brute force
Understanding password security
Password security is driven by two primary factors
Strength
Uniqueness
The more of each, the better!
Sources of attacks against passwords
Remote
Man in the middle attack against the transport layer
Password retrieved after being sent in an email
Accounts brute-forced via HTTP posts
Admin facility compromised
SQL injection risk exploited
Local
Passwords retrieved from a backup
Admins with direct access to password storage
Brute force attacks against password cryptography
Common password storage practices
Plain text
There’s no cryptography, everything is immediately exposed if the password
storage is breached
Encrypted
Encryption (usually via a symmetric key) exists, but… there’s also decryption
Hashed
A one-way, deterministic algorithm which means that passwords can’t be
unhashed
Protecting against authentication brute force
Account lockout
Disable the account after X failed login attempts
…but then you need a mechanism to re-enable it
Restrict logon attempts by IP address
Set an allowable “rate” for the same IP to attempt to login
…but attackers may have many IPs and legitimate users may share IPs
Fingerprint the client and scale the rate
Uniquely identify the client based on request attributes then slow the rate at
which they can attempt to logon
…but the fingerprint can be manipulated by an attacker
Summary
Help customers maximise their password strength
No arbitrary length limits, there are no “special” characters!
Credentials never go into email. Ever.
Account enumeration risks can disclose account holder identities
Be conscious of a DoS on user accounts
Always verify ownership before resetting
Always provide a reset link to set a new password
Make it a time-limited, one time token keyed to the user
Look for practices which disclose improper password storage
If you can get a plain text password, the storage is insufficient
Ask for re-authentication before key actions are performed
Don’t allow endless attempts to authenticate to the system
Lockouts, throttling and client fingerprinting are all potential mitigations