April 15, 2014

Web Applications Security Principles - Authentication - Password

Password Policy

Under this topic you should consider about at least below requirements.
  • Password complexity
  • Password change period
  • Password history check
  • Password black list
  • Password management tools
  • Administrator passwords
  • Password store, reset and delivery
For more information please take a look at link.

Password Complexity

- A secure password must contain at least 8 character.
- A secure password must contain uppercase, lowercase, digit and special character like @.
- A secure password must not be a word from dictionary.
- A secure password must be generated randomly.

You can check your password's complexity from this link.
Be aware of password patterns link.

Entropy Concept

- Used to compare passwords' security
- H = L * log2 N  (H : Total entropy, L = Length of password N: Number of symbols in symbol space)

Sample calculation1 :  Password  = password, H = 8 * log2 26, H = 37,6 bit
N = 26 (a, b, c .....y, z)

Sample calculation2 :  Password  = PassW0Rd897, H = 10 * log2 62, H = 59,54 bit
N = 62 (a, b, c ..... z, A, B, C, ... Z, 0, 1, 2, ...9)

Password Hacking Attacks                        

- Brute Force Attack : Consists of systematically checking all possible keys or passwords until the correct one is found.
- Dictionary Attack : Uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary.
- Password Hash Cracking : MD5 Cracker, SHA1 Cracker

Password Hacking Tools

- hydra, ncrack, crunch

Password Transmission Flaws

- Passwords must be transported via an encrypted channel, like HTTPS, SFTP.
- Session Identifier must be transfered via HTTPS after authentication.

Password Storing Flaws

- Passwords should not be stored as plain text in the database.
- Only the hash value of password should not be stored in the database.
- Account-specific salts value should be used when calculating the hash value of the password 
   [protected form] = [salt] + protect([protection func], [salt] + [credential]);
   More info link.
- Autocomplete = off feature (<input> or <form>should be used to prevent passwords stored by web browsers link.
- Tools like keepass should be used to store password by system administrators.