Solved

Authentication portals

Posted on 2009-04-14
1
270 Views
Last Modified: 2012-05-06
I am doing some research into login portals on websites/web services, and I am after some up to date expert knowledge of the threats against such portals.

By login portal I am simply talking about any web site or service that requires Single-factor authentication (a username and a password).

Some of the security we already have in place are account lockout mechanisms to prevent brute force or guessing attacks, we have changed any default accounts / default passwords, encryption of the credentials using https etc etc.

My question is without either a username or password how do attackers try to penetrate or "hack" into a System that requires authentication credentials, essentially bypassing the login portal. Any pointers and best practice to help prevent such attacks would be much appreciated.
0
Comment
Question by:pma111
1 Comment
 
LVL 10

Accepted Solution

by:
Chris_Gralike earned 250 total points
ID: 24139173
Good but complex question.

When looking at any login / authentication page or application there are indeed various ways to rome. When i limit my scope to the application of the portal as describe above there might still be various ways in.

But before you start building you bunker you should first answer some questions to yourself to gain some understandig about the threats themselfs. Usually people turn to the CIA model as a guide to what needs to be protected in the first place...

Confidentiality
1. Authentication
2. Ownerships
3. Read / Write / modify access
....

Integrity
1. Verify (backup)
2. Dataguard
4. Versioning
....
Availability
1. Clustering
2. Offsite Replication
3. Failover connectivity
....

To anwser your question directly, find out what your attack vectors are by thinking what a hacker could potentially use to gain access. Usually it starts with the system itself, is your scripting language save? (php savemode for instance?)

Is the script / login application written safely and only for your company or is it public. Do you have trustworthy personel, are there policies in place agains social engineering. Do people understand why there is a lockout policy in the first place?

In the end, make sure the doorstep is high enough and hard enough to crack that will keep out most of them. And accept that you are never perfectly save with a network plug connected to the internet ;)

Rgrds,
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Collecting Customer Data 5 26
IIS & application logon issue 1 47
Best free website shortner services 2 64
WEB Farm 6 26
Foreword (May 2015) This web page has appeared at Google.  It's definitely worth considering! https://www.google.com/about/careers/students/guide-to-technical-development.html How to Know You are Making a Difference at EE In August, 2013, one …
What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now