OWASP WebGoat Series - Authentication Flaws
Authentication is a major part in access control. Users provide their identity with authentication to prove they are who they say they are. A password is often the most common way to authenticate a user in combination with their username.
Having a secure and strong password often is not enough in keep your accounts secure. Combining factor authentication alongside your password ensures you account stays well protected.
- Single-Factor Authentication simply relies on a password
- Two-Facor Authentication (2FA) relies on an additional authentication to alongside a username and password (e.g. PIN, security question, security token)
- Multi-Factor Autentication (MFA) uses two or more additional security factors (e.g. security cards, security codes, fingerprint)
With passwords being common in authenticating a user, learning how to create strong passwords and storing them in a secure way prevents hackers from getting a hold of it.
National Institute of Standards and Technology (NIST) is known for its best security practices, recently finalized their New Password Guidelines.
- 8 character minimum when a human sets it
- 6 character minimum when set by a system/service
- Support at least 64 characters maximum length
- All ASCII characters (including space) should be supported
- Truncation of the secret (password) shall not be performed when processed
- Check chosen password with known password dictionaries
- Allow at least 10 password attempts before lockout
- No complexity requirements
- No password expiration period
- No password hints
- No knowledge-based authentication (e.g. who was your best friend in high school?)
- No SMS for 2FA (use a one-time password from an app like Google Authenticator)
(Will go a lot deeper into this topic in a future post)
Is your account secure?
Having a weak password has consequences - hackers are getting more clever in getting information they want. Using websites like have i been pwned? or Dehashed to verify if your accounts have been compromised is an intelligent way be smart about what passwords you can or cannot use.