VII. How to prevent Authentication vulnerability – Authentication vulnerability?
1. Authentication: user protection layer – system first
Authentication vulnerabilities are often one of the first attack targets for hackers, because this can be considered the first layer of user protection. When a system has a lax authentication mechanism, this is often easy for hackers to take advantage of and take over user accounts. Once a hacker obtains your authentic identity (from a variety of ways that will be discussed further in the next section), most of the information you store on that website is exposed, and they can use the website with your identity, bringing unpredictable consequences for users in particular and the system in general.
In the previous sections, we have analyzed and exploited authentication vulnerabilities through laboratories together. Authentication problems with features such as login, registration, forgot password, reset password, … have been exploited in many directions. I believe there are still many other ways of attacking besides the examples I have shown in the article.
In addition to negligence in the process of building applications from service providers, careless actions of users can also be an opportunity for bad guys to infiltrate. Therefore, we need to take measures to prevent and prevent this type of vulnerability.
2. On the service provider side
A simple and quite effective technique for exploiting authentication vulnerabilities is brute force.
2.1. Users do not need to know too much unnecessary information
One of the first things to do is not to disclose too much information to the user. Example: When a user enters an incorrect username or password, the message given to the user should only be “Invalid username or password” – just enough to let the user know they are entering it wrong, not Indicates the correct username or password.
2.2. Strong password required
Ask users to set strong passwords. For example, a password needs to be at least 8 characters long, including lowercase, uppercase, alphanumeric, and special characters.
2.2. Limit failed login attempts
When detecting that a user has performed the wrong login more than the specified number of times, it is most likely a brute force attack. The system may disable the account for a certain period of time. And each time a user fails to log in again, that disabling time will increase. This is really effective in preventing brute force attacks.
2.3. Multi-step authentication
The requirements are stricter in 2FA authentication, preferably each login requires the user to use two-step authentication.
2.4. Use Capcha mã
Capcha codes can appear as an image, with text consisting of a string of letters or numbers. Users need to enter the correct code to be able to log in. This can be frustrating for users. Capcha code should be used after the user logs in incorrectly more than the specified number of times.
2.5. Other measures
There are also some other precautions such as: Limit logins to a certain address or domain, use unique login URLs, monitor user login logs, etc.
3. On the user side
Current users are not well aware of the security of their information. Users are responsible for protecting their accounts and personal information, which also helps protect the provider’s safety from attackers.
- Do not use personal information set as a password.
- Do not click on strange links sent by others.
- Do not fill out pages with signs of fraud.