Difference between revisions of "Using password systems"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 
  
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
Line 57: Line 56:
 
==Examples ==
 
==Examples ==
  
 +
<pre>
 
unsigned char *check_passwd(char *plaintext){
 
unsigned char *check_passwd(char *plaintext){
 
         ctext=simple_digest("sha1",plaintext,strlen(plaintext)...);
 
         ctext=simple_digest("sha1",plaintext,strlen(plaintext)...);
Line 62: Line 62:
 
           // Log me in
 
           // Log me in
 
}
 
}
 +
</pre>
 +
 
In Java:
 
In Java:
  
 +
<pre>
 
String plainText = new String(plainTextIn)
 
String plainText = new String(plainTextIn)
 
MessageDigest encer = MessageDigest.getInstance("SHA");
 
MessageDigest encer = MessageDigest.getInstance("SHA");
Line 70: Line 73:
 
if (digest==secret_password())
 
if (digest==secret_password())
 
//log me in
 
//log me in
 +
</pre>
 +
 
==Related problems ==
 
==Related problems ==
  
* Using single-factor authentication
+
* [[Using single-factor authentication]]
  
 
==Categories ==
 
==Categories ==

Revision as of 12:44, 16 April 2006


Overview

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

Consequences

  • Authentication: The failure of a password authentication mechanism will almost always result in attackers being authorized as valid users.

Exposure period

  • Design: The period of development in which authentication mechanisms and their protections are devised is the design phase.

Platform

  • Languages: All
  • Operating platforms: All

Required resources

Any

Severity

High

Likelihood of exploit

Very High

Avoidance and mitigation

  • Design: Use a zero-knowledge password protocol, such as SRP.
  • Design: Ensure that passwords are sorted safely and are not reversible.
  • Design: Implement password aging functionality that requires passwords be changed after a certain point.
  • Design: Use a mechanism for determining the strength of a password and notify the user of weak password use.
  • Design: Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.

Discussion

Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks, and such frequent compromise that their use in the most simple implementation is not practical. In order to protect password systems from compromise, the following should be noted:

  • Passwords should be stored safely to prevent insider attack and to ensure that - if a system is compromised - the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stored encrypted, in a non-reversible state, such that the original text password cannot be extracted from the stored value.
  • Password aging should be strictly enforced to ensure that passwords do not remain unchanged for long periods of time. The longer a password remains in use, the higher the probability that it has been compromised. For this reason, passwords should require refreshing periodically, and users should be informed of the risk of passwords which remain in use for too long.
  • Password strength should be enforced intelligently. Rather than restrict passwords to specific content, or specific length, users should be encouraged to use upper and lower case letters, numbers, and symbols in their passwords. The system should also ensure that no passwords are derived from dictionary words.

Examples

unsigned char *check_passwd(char *plaintext){
        ctext=simple_digest("sha1",plaintext,strlen(plaintext)...);
        if (ctext==secret_password())
          // Log me in
}

In Java:

String plainText = new String(plainTextIn)
MessageDigest encer = MessageDigest.getInstance("SHA");
encer.update(plainTextIn);
byte[] digest = password.digest();
if (digest==secret_password())
//log me in

Related problems

Categories