Web applications attacks/Authentication Brute-force
Jump to navigation Jump to search
The majority of web applications are protected by an authentication page that enables to identify users, give privileges and track user actions. But how many credentials are predictable?
- WebGoat Password Strength lesson shows how much time is needed to crack passwords, depending on their complexity.
- WebGoat, Forgot Password lesson shows the necessity of non-predictable answers in recover lost password forms.
- HackThisSite.org, Realistic, Level 10 shows how to determine valid credentials (login=password=smiller) from an email address ([email protected]).
- Ban any predictable credentials like admin/password or admin/admin.
- Apply a strong password policy to avoid predictable passwords:
- Strong passwords: alternate numbers, letters (case sensitive), special characters
- Force passwords change: put a validity on passwords
- Force real change: forbid usage of already used passwords