Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Thursday, August 12, 2010

Managing Username/Password

Most of the web application use the username and password technique for authentication purpose. So user account are vulnerable to dictionary attacks and brute force attacks. In these attacks the tool either try to match the password with a set of predefine words or try new combination of words.

The "Good Practices" to mitigate this vulnerability would be:

  1. Design username which are not predictable or guessable.
  2. Strong password policy.
  3. Display generic message on failed login attempts. Eg. Invalid Username/Password.
  4. Store password in encrypted format in database.
  5. Use encryption for username and password while transmitted    over network.
  6. Disable user account after n failed login attempts which are successive.
  7. Implement CAPTCHA's to prevent bots or automated username/password guessing.

No comments:

Post a Comment