Sins of Use of Weak passwords Flashcards
What is a major flaw of password-based systems?
Passwords are a portable single-factor authentication method, which means users can be tricked, bribed, or coerced into revealing them.
Why is using weak passwords a security risk?
Weak passwords can be easily guessed by attackers. Examples include “password”, “1234”, or using the username as the password.
What should you enforce to prevent the use of weak passwords?(in your application/web et al.)
Enforce password complexity and length requirements, and ensure the username is not included in the password.
What are iterated passwords and why are they a security risk?
Iterated passwords include sequences like “password1”, “password2”, which are easy to guess due to their predictable patterns.
What is a recommended practice to handle iterated passwords?
Implement password history tracking and ensure passwords cannot be slightly modified versions of previous passwords.
Why is it problematic to never change a password?
Not changing passwords regularly can increase the risk of unauthorized access if a password is compromised.
What are some defenses against the risk of never changing passwords?
Require regular password changes and track password history to prevent reuse.
What are default passwords and why are they dangerous?
Default passwords are preset passwords given to new users or devices, which can be easily exploited if not changed.
How can you mitigate the risks associated with default passwords?
Avoid using default passwords. If necessary, lock the system until a new password is set and prevent remote logins if the default password hasn’t been changed.
What is a replay attack?
A replay attack occurs when an attacker intercepts network traffic and resends it to gain unauthorized access.
How can you defend against replay attacks?
Use SSL/TLS or IPSec to protect authentication attempts.
Why should passwords not be stored in cleartext?
Storing cleartext passwords can lead to serious security breaches if the storage system is compromised.
What is the recommended method for storing passwords?
Store passwords using a strong hashing algorithm with a sufficient amount of salt.
What is a brute-force attack?
A brute-force attack uses computational power to try many password combinations until the correct one is found.
How can you protect against brute-force attacks on password verifiers?
Use a key derivation function like PBKDF2, configure iterations, and use a large amount of salt.
Why is it a bad practice to reveal whether a login failure is due to an incorrect username or password?
Revealing specific failure reasons can help attackers refine their guessing strategies.
How should you handle error messages for login failures?
Provide a generic error message that doesn’t specify whether the username or password was incorrect
What are some effective mechanisms to prevent online password guessing attacks?
Implement account lockouts and graduated timeouts for repeated failed login attempts.
Why should you reset rather than return forgotten passwords?
Returning forgotten passwords implies storing them, which is insecure. Resetting them ensures users receive a new, secure password.
What are one-time passwords and why are they useful?
One-time passwords are temporary and can reduce the risk of capture when logging in from public or shared devices.
What are some best practices for handling password security in applications?
Use SSL/TLS for authentication, log failed attempts, enforce strong password policies, avoid default passwords, and use secure hash functions for password storage.
How can you ensure passwords are not unnecessarily snoopable over the network during authentication?
Tunnel the authentication protocol over SSL/TLS.
What is a secure practice for storing passwords?
Use a strong salted cryptographic one-way function based on a hash for password storage.
How should you handle password changes for users who know their current passwords?
Provide a secure mechanism for users to change their passwords.
What should you avoid in your customer support process regarding password resets?
Avoid making it easy for customer support to reset passwords over the phone.
What is a recommended storage algorithm for passwords that supports making the one-way hash computationally expensive?
Consider using PBKDF2 for password storage.
What should you avoid logging in your back-end infrastructure?
Avoid storing plaintext passwords and logging failed passwords.
What should you do to protect the logon page from phishing attacks?
Protect the logon page with SSL/TLS.
