Solved

Authentication portals

Posted on 2009-04-14
1
272 Views
Last Modified: 2012-05-06
I am doing some research into login portals on websites/web services, and I am after some up to date expert knowledge of the threats against such portals.

By login portal I am simply talking about any web site or service that requires Single-factor authentication (a username and a password).

Some of the security we already have in place are account lockout mechanisms to prevent brute force or guessing attacks, we have changed any default accounts / default passwords, encryption of the credentials using https etc etc.

My question is without either a username or password how do attackers try to penetrate or "hack" into a System that requires authentication credentials, essentially bypassing the login portal. Any pointers and best practice to help prevent such attacks would be much appreciated.
0
Comment
Question by:pma111
1 Comment
 
LVL 10

Accepted Solution

by:
Chris_Gralike earned 250 total points
ID: 24139173
Good but complex question.

When looking at any login / authentication page or application there are indeed various ways to rome. When i limit my scope to the application of the portal as describe above there might still be various ways in.

But before you start building you bunker you should first answer some questions to yourself to gain some understandig about the threats themselfs. Usually people turn to the CIA model as a guide to what needs to be protected in the first place...

Confidentiality
1. Authentication
2. Ownerships
3. Read / Write / modify access
....

Integrity
1. Verify (backup)
2. Dataguard
4. Versioning
....
Availability
1. Clustering
2. Offsite Replication
3. Failover connectivity
....

To anwser your question directly, find out what your attack vectors are by thinking what a hacker could potentially use to gain access. Usually it starts with the system itself, is your scripting language save? (php savemode for instance?)

Is the script / login application written safely and only for your company or is it public. Do you have trustworthy personel, are there policies in place agains social engineering. Do people understand why there is a lockout policy in the first place?

In the end, make sure the doorstep is high enough and hard enough to crack that will keep out most of them. And accept that you are never perfectly save with a network plug connected to the internet ;)

Rgrds,
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This video teaches users how to migrate an existing Wordpress website to a new domain.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question