Sins of Use of Weak passwords

Question 1

What is a major flaw of password-based systems?

Answer 1

Passwords are a portable single-factor authentication method, which means users can be tricked, bribed, or coerced into revealing them.

Question 2

Why is using weak passwords a security risk?

Answer 2

Weak passwords can be easily guessed by attackers. Examples include “password”, “1234”, or using the username as the password.

Question 3

What should you enforce to prevent the use of weak passwords?(in your application/web et al.)

Answer 3

Enforce password complexity and length requirements, and ensure the username is not included in the password.

Question 4

What are iterated passwords and why are they a security risk?

Answer 4

Iterated passwords include sequences like “password1”, “password2”, which are easy to guess due to their predictable patterns.

Question 5

What is a recommended practice to handle iterated passwords?

Answer 5

Implement password history tracking and ensure passwords cannot be slightly modified versions of previous passwords.

Question 6

Why is it problematic to never change a password?

Answer 6

Not changing passwords regularly can increase the risk of unauthorized access if a password is compromised.

Question 7

What are some defenses against the risk of never changing passwords?

Answer 7

Require regular password changes and track password history to prevent reuse.

Question 8

What are default passwords and why are they dangerous?

Answer 8

Default passwords are preset passwords given to new users or devices, which can be easily exploited if not changed.

Question 9

How can you mitigate the risks associated with default passwords?

Answer 9

Avoid using default passwords. If necessary, lock the system until a new password is set and prevent remote logins if the default password hasn’t been changed.

Question 10

What is a replay attack?

Answer 10

A replay attack occurs when an attacker intercepts network traffic and resends it to gain unauthorized access.

Question 11

How can you defend against replay attacks?

Answer 11

Use SSL/TLS or IPSec to protect authentication attempts.

Question 12

Why should passwords not be stored in cleartext?

Answer 12

Storing cleartext passwords can lead to serious security breaches if the storage system is compromised.

Question 13

What is the recommended method for storing passwords?

Answer 13

Store passwords using a strong hashing algorithm with a sufficient amount of salt.

Question 14

What is a brute-force attack?

Answer 14

A brute-force attack uses computational power to try many password combinations until the correct one is found.

Question 15

How can you protect against brute-force attacks on password verifiers?

Answer 15

Use a key derivation function like PBKDF2, configure iterations, and use a large amount of salt.

Question 16

Why is it a bad practice to reveal whether a login failure is due to an incorrect username or password?

Answer 16

Revealing specific failure reasons can help attackers refine their guessing strategies.

Question 17

How should you handle error messages for login failures?

Answer 17

Provide a generic error message that doesn’t specify whether the username or password was incorrect

Question 18

What are some effective mechanisms to prevent online password guessing attacks?

Answer 18

Implement account lockouts and graduated timeouts for repeated failed login attempts.

Question 19

Why should you reset rather than return forgotten passwords?

Answer 19

Returning forgotten passwords implies storing them, which is insecure. Resetting them ensures users receive a new, secure password.

Question 20

What are one-time passwords and why are they useful?

Answer 20

One-time passwords are temporary and can reduce the risk of capture when logging in from public or shared devices.

Question 21

What are some best practices for handling password security in applications?

Answer 21

Use SSL/TLS for authentication, log failed attempts, enforce strong password policies, avoid default passwords, and use secure hash functions for password storage.

Question 22

How can you ensure passwords are not unnecessarily snoopable over the network during authentication?

Answer 22

Tunnel the authentication protocol over SSL/TLS.

Question 23

What is a secure practice for storing passwords?

Answer 23

Use a strong salted cryptographic one-way function based on a hash for password storage.

Question 24

How should you handle password changes for users who know their current passwords?

Answer 24

Provide a secure mechanism for users to change their passwords.

Question 25

What should you avoid in your customer support process regarding password resets?

Answer 25

Avoid making it easy for customer support to reset passwords over the phone.

Question 26

What is a recommended storage algorithm for passwords that supports making the one-way hash computationally expensive?

Answer 26

Consider using PBKDF2 for password storage.

Question 27

What should you avoid logging in your back-end infrastructure?

Answer 27

Avoid storing plaintext passwords and logging failed passwords.

Question 28

What should you do to protect the logon page from phishing attacks?

Answer 28

Protect the logon page with SSL/TLS.