Most of the web application use the username and password technique for authentication purpose. So user account are vulnerable to dictionary attacks and brute force attacks. In these attacks the tool either try to match the password with a set of predefine words or try new combination of words.
The "Good Practices" to mitigate this vulnerability would be:
- Design username which are not predictable or guessable.
- Strong password policy.
- Display generic message on failed login attempts. Eg. Invalid Username/Password.
- Store password in encrypted format in database.
- Use encryption for username and password while transmitted over network.
- Disable user account after n failed login attempts which are successive.
- Implement CAPTCHA's to prevent bots or automated username/password guessing.
No comments:
Post a Comment