Description

The majority of web applications are protected by an authentication page that enables to identify users, give privileges and track user actions. But how many credentials are predictable?

Example

• WebGoat Password Strength lesson shows how much time is needed to crack passwords, depending on their complexity.
• WebGoat, Forgot Password lesson shows the necessity of non-predictable answers in recover lost password forms.
• HackThisSite.org, Realistic, Level 10 shows how to determine valid credentials (login=password=smiller) from an email address ([email protected]).

Protection

• Ban any predictable credentials like admin/password or admin/admin.
• Apply a strong password policy to avoid predictable passwords:
  • Strong passwords: alternate numbers, letters (case sensitive), special characters
  • Force passwords change: put a validity on passwords
  • Force real change: forbid usage of already used passwords

Tools

Installable tools

• John The Ripper
• Cain & Abel
• RSYaba

Online resources

Default passwords

• http://www.cirt.net/passwords

MD5 cracker

• http://www.tmto.org/?category=main&page=search_md5
• http://gdataonline.com/seekhash.php
• http://md5.rednoize.com/

Comments

Talk:Web applications attacks/Authentication Brute-force