M4.10 Reflection: Secure practices for password Management

Introduction

The secure storage of passwords is crucial for application security. In this assignment, you will analyze and list the best practices for the developer for storing the passwords securely in the application.

Instructions

Refer to M4.5: Web-based Authentication and Authorization: Secure Practices. Of the 17 secure practices listed, reflect on three (3). In a 2-3 page paper, address the following:

Based on your web experiences with websites, give an example where, in general,  developers are following these best practices.
Explain the strengths and weaknesses of the mitigation tools and practices related to your selections, e.g. input validation, secure cookies, authentication, password challenges, and cryptography.
Research and determine a current (within 2 years) exploit that has happened because of poor implementation of one or more of these secure practices.

M4.5: Notes

Module Notes: Web-based Authentication and Authorization: Secure Practices
Image of a consultant touching the virtual screen showing a lock icon depicting cyber security

Here are a few secure practices for authentication and authorization:
1.Username should be unique and case insensitive.
2.Request to access restricted resources should be authenticated and the user roles should be verified before granting the access.
3.The applications should only allow secure passwords. The passwords should be of a minimum of 8 characters and should contain an uppercase letter and a number.
4.Passwords should not be stored in cleartext. The best way to store is by using one way salted hash of the passwords.
5.Authentication failure messages should be generic and should not indicate in any way the cause of the error. Even applications with the same error message but different HTTP error codes can lead to security threats.
6.The input should be validated at all entry points of the application to avoid attacks like cross-site scripting, SQL injection, etc.
7.The application should require re-authentication for updating sensitive information on the website to mitigate session fixation and CSRF attacks.
8.Simple challenges in the forgot password feature can be used to easily bypass the authentication mechanism in a website. So, this feature should be securely implemented. Multiple questions should be used to authenticate the user and a multi-factor token challenge should be used to reset the users password. After the successful password reset, the current session should end and the user should be redirected to the login page.
9.The application should restrict login attempts to prevent the hacker from cracking the password using brute force or dictionary attacks.
10.The developer should address the security issues related to delegable credentials. The delegation should be time-specific and the link should expire after some period.
11.All authentication failures should be logged.
12.Session cookies should be stored securely. The persistent cookies should expire after a few hours. Always enable secure attribute of the cookie that prevents the transmission of cookie over an unencrypted channel. Session ids should be unpredictable.
13.Remember me feature should re-authenticate when the user changes data across security boundaries.
14.Http Only attribute of the cookie should be set to prevent JavaScript from reading sensitive values.
15.The session id should be regenerated every time the user authenticates. This mitigates threats like session fixation.
16.Use secure authentication protocols.
17.Track the IP address of the user to limit the login attempts.