Solved

Authentication portals

Posted on 2009-04-14
1
271 Views
Last Modified: 2012-05-06
I am doing some research into login portals on websites/web services, and I am after some up to date expert knowledge of the threats against such portals.

By login portal I am simply talking about any web site or service that requires Single-factor authentication (a username and a password).

Some of the security we already have in place are account lockout mechanisms to prevent brute force or guessing attacks, we have changed any default accounts / default passwords, encryption of the credentials using https etc etc.

My question is without either a username or password how do attackers try to penetrate or "hack" into a System that requires authentication credentials, essentially bypassing the login portal. Any pointers and best practice to help prevent such attacks would be much appreciated.
0
Comment
Question by:pma111
1 Comment
 
LVL 10

Accepted Solution

by:
Chris_Gralike earned 250 total points
ID: 24139173
Good but complex question.

When looking at any login / authentication page or application there are indeed various ways to rome. When i limit my scope to the application of the portal as describe above there might still be various ways in.

But before you start building you bunker you should first answer some questions to yourself to gain some understandig about the threats themselfs. Usually people turn to the CIA model as a guide to what needs to be protected in the first place...

Confidentiality
1. Authentication
2. Ownerships
3. Read / Write / modify access
....

Integrity
1. Verify (backup)
2. Dataguard
4. Versioning
....
Availability
1. Clustering
2. Offsite Replication
3. Failover connectivity
....

To anwser your question directly, find out what your attack vectors are by thinking what a hacker could potentially use to gain access. Usually it starts with the system itself, is your scripting language save? (php savemode for instance?)

Is the script / login application written safely and only for your company or is it public. Do you have trustworthy personel, are there policies in place agains social engineering. Do people understand why there is a lockout policy in the first place?

In the end, make sure the doorstep is high enough and hard enough to crack that will keep out most of them. And accept that you are never perfectly save with a network plug connected to the internet ;)

Rgrds,
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A publishing tool, a Version Control System, or a Collaboration Platform! These can be some of the defining words for the two very famous web-hosting Git repositories: Bitbucket and Github. Git is widely used amongst the programmers and developers f…
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now