Solved

Authentication portals

Posted on 2009-04-14
1
276 Views
Last Modified: 2012-05-06
I am doing some research into login portals on websites/web services, and I am after some up to date expert knowledge of the threats against such portals.

By login portal I am simply talking about any web site or service that requires Single-factor authentication (a username and a password).

Some of the security we already have in place are account lockout mechanisms to prevent brute force or guessing attacks, we have changed any default accounts / default passwords, encryption of the credentials using https etc etc.

My question is without either a username or password how do attackers try to penetrate or "hack" into a System that requires authentication credentials, essentially bypassing the login portal. Any pointers and best practice to help prevent such attacks would be much appreciated.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 11

Accepted Solution

by:
Chris Gralike earned 250 total points
ID: 24139173
Good but complex question.

When looking at any login / authentication page or application there are indeed various ways to rome. When i limit my scope to the application of the portal as describe above there might still be various ways in.

But before you start building you bunker you should first answer some questions to yourself to gain some understandig about the threats themselfs. Usually people turn to the CIA model as a guide to what needs to be protected in the first place...

Confidentiality
1. Authentication
2. Ownerships
3. Read / Write / modify access
....

Integrity
1. Verify (backup)
2. Dataguard
4. Versioning
....
Availability
1. Clustering
2. Offsite Replication
3. Failover connectivity
....

To anwser your question directly, find out what your attack vectors are by thinking what a hacker could potentially use to gain access. Usually it starts with the system itself, is your scripting language save? (php savemode for instance?)

Is the script / login application written safely and only for your company or is it public. Do you have trustworthy personel, are there policies in place agains social engineering. Do people understand why there is a lockout policy in the first place?

In the end, make sure the doorstep is high enough and hard enough to crack that will keep out most of them. And accept that you are never perfectly save with a network plug connected to the internet ;)

Rgrds,
0

Featured Post

 Database Backup and Recovery Best Practices

Join Percona’s, Architect, Manjot Singh as he presents Database Backup and Recovery Best Practices (with a Focus on MySQL) on Thursday, July 27, 2017 at 11:00 am PDT / 2:00 pm EDT (UTC-7). In the case of a failure, do you know how long it will take to restore your database?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Quotation Marks in PHP This question (http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28217211.html) seems to come up a lot for developers who are new to PHP.  And it got me thinking, "How can we explain the rule…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question