White Paper

Documented standards for secure product development

A downloadable Security Handbook to document our best practices

Download white paper

2. Broken authentication

Authentication and session management functions are implemented incorrectly.

What it is

Authentication is the process of ensuring it’s in fact, the user accessing their accounts and data (e.g., a username and password combination). Authentication grows more complex as a site, app, or device becomes bigger, broader, and more connected to other sites, apps, or devices.

How it works

Passwords can be easily guessed or stolen if left unprotected. Attackers seek vulnerabilities where user credentials or sessions lack adequate protections. User data session IDs, when exposed via URL, are available in router logs and prone to URL rewrite attacks. Credential stuffing can be performed by utilizing leaked password databases from other sites. See https://haveibeenpwned.com/ for a catalog of recent user account breaches.

Why it’s bad

If attackers can hijack user’s or administrator’s session, they have access to everything available within that account, from data to account control.

Countermeasures

  • Where possible, implement multi-factor authentication (MFA).

  • Do not ship or deploy with any default (admin) credentials.

  • Align password length, complexity, and rotation policies with modern password policies and algorithms.

  • Implement weak password checks, such as testing new or changed passwords against a list of the top 10,000 worst passwords.

  • Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks using the same messages for all outcomes.

  • Limit or increasingly delay subsequent failed login attempts. Use CAPTCHA.

  • Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.

  • Web application session IDs or tokens should not be in the URL. They should be securely stored and invalidated after logout, idle, and absolute timeouts.

Broken authentication example

The hacker seeks out ways to modify user credentials to access the user's account.

Scenario 1

The account requires explicit or detailed password requirements, which explain the requirements that need to be met to circumvent the password.

Scenario 1

Scenario 2

The account alerts the user of an invalid password entry, which inadvertently indicates that the user account is valid.

Scenario 2

Scenario 3

An invalid email address alerts the person entering login credentials the password is correct.

Scenario 3

Scenario 4

A simple, secure error message should not allude to which input fails to authenticate or why to maintain authentication security.

Scenario 4

Continue to:3. Sensitive data exposure