Difference between revisions of "Storing credentials"

From OWASP
Jump to: navigation, search
(New page: == Storing Credentials == Normally an application would store credentials in a database (RDBMS, LDAP, etc.) for retrieval in the future by a functionality such as login procedures, data v...)
 
(Storing Credentials)
Line 2: Line 2:
  
 
Normally an application would store credentials in a database (RDBMS, LDAP, etc.) for retrieval in the future by a functionality such as login procedures, data verification, etc.  By storing credentials we are referring to not only username and passwords but relevant information that might be exploited by attackers in one way or another.  Example of these credentials are the following:
 
Normally an application would store credentials in a database (RDBMS, LDAP, etc.) for retrieval in the future by a functionality such as login procedures, data verification, etc.  By storing credentials we are referring to not only username and passwords but relevant information that might be exploited by attackers in one way or another.  Example of these credentials are the following:
1.  Username and passwords
+
* Username and passwords
2.  Credit card information
+
* Credit card information
3.  Billing and Shipping Address
+
* Billing and Shipping Address
4.  Medical records and/or history
+
* Medical records and/or history
5.  Contact information - e-mail, telephone numbers, mobile numbers, etc.
+
* Contact information - e-mail, telephone numbers, mobile numbers, etc.
  
 
This poses many security risks such as:
 
This poses many security risks such as:
1.  Loss of confidentiality
+
* Loss of confidentiality
2.  Privacy violation
+
* Privacy violation
3.  Data Integrity
+
* Data Integrity

Revision as of 06:34, 7 January 2008

Storing Credentials

Normally an application would store credentials in a database (RDBMS, LDAP, etc.) for retrieval in the future by a functionality such as login procedures, data verification, etc. By storing credentials we are referring to not only username and passwords but relevant information that might be exploited by attackers in one way or another. Example of these credentials are the following:

  • Username and passwords
  • Credit card information
  • Billing and Shipping Address
  • Medical records and/or history
  • Contact information - e-mail, telephone numbers, mobile numbers, etc.

This poses many security risks such as:

  • Loss of confidentiality
  • Privacy violation
  • Data Integrity