Passwords are not forever!

Human brain is considered to be the super computer of the world. Multiple logical computations and decisions occur in the human brain within a fraction of second. The brain has several important parts which control the central nervous system and in turn drive the whole human activity.

Can the human brain be hacked? . This is the immediate question which stems in my mind.

Human brains cannot be hacked for the simple reason that they all live in a disconnected world. Every human brain is disconnected with that of others. Then what about telepathy, emotional bonding etc considered as ? Sure …sure that’s all there but apart from that every human brain is an individual computer by itself and that makes intrusion very difficult!

One of my friends in-jest used to say that he had two brains, one left and the other one right and that his ‘left brain had nothing right and his right brain had nothing left’ …..Isn’t it funny?

But coming to the actual computer world, this is no fun. 70 % of the computers in the world are connected either through internet or the intranet. This very nature of being in a connected world makes the computer systems hack able (unlike our brains!!!).

To prevent unauthorized access, mutual authentication and authorization plays a key role. Authentication helps identify the identity who is trying to access a resource. Establishing identity by supplying user name and password is still a valid method to authenticate systems.

Password security is most important factor in authentication. One should consider securing their passwords similar to their credit card number. The strength of the password decides how strong your authentication mechanism is. A weak password can be guessed by executing a brute force attack using a subset of all possible passwords or either by launching a dictionary attack.

Passwords are the first line of defense for protecting assets and guessing them is a popular and often successful attack method. A poorly chosen password can result in the compromise of our entire corporate network.

If an attacker obtains user’s passwords, she can create havoc in the user’s system. She can get to know their personal information or create a denial of service situation by simply deleting all the system files. In a web application scenario, she can just get into their bank account and steal all the money.

Isn’t it scary?

If you are a developer or a solution designer and really mean having secured authentication mechanisms in your applications, ensure to follow following best practices that encompass Password.

Password Strength

The strong password should include at least eight characters, and should use a mixture of uppercase and lowercase letters, numbers, and other characters such as *, ?, or $ or other some special characters.

Do not store or cache Passwords and corporate credentials in readable form ; Do not have credentials in clear text in the configuration files or Cookies.

Do not use features like "Remember Password" ; Many applications store credentials in readable form, such mechanisms should not be used.

Treat and handle Passwords as “High Business Impact (HBI) ” information; Consider to encrypt passwords while stored on the disk and use SSL channel for transmitting Passwords.

Passwords in Forms and Custom authentication

Use one way hash on Passwords to store the passwords rather than the clear password itself; Use Hashing algorithm like SHA1 or above.

Consider to use a salt value when creating the hash to slow an attacker who is attempting to perform a dictionary attack. This approach gives you additional time to detect and react to the compromise.

Use RNGCryptoServiceProvider to create salt with better ‘entropy’ private static string CreateSalt(int size) {   // Generate a cryptographic random number using the cryptographic   // service provider   RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();   byte[] buff = new byte[size];   rng.GetBytes(buff);   // Return a Base64 string representation of the random number   return Convert.ToBase64String(buff); }

Configure account lockout policy. By default if a user has 3 invalid password attempts in a 10 minute period, the account should get locked.

Enforce strong passwords. The SqlMembershipProvider and ActiveDirectoryMembershipProvider, enforces a minimum password length of 7 characters with at least 1 non alphanumeric character. You can further strengthen the password requirements by configuring the attributes minRequiredPasswordLength, minRequiredNonAlphanumericCharacters and passwordStrengthRegularExpression.

If you are using a fixed identity to impersonate by specifying account credentials on the <identity> element , you should consider to encrypt the credentials by using the Aspnet_setreg.exe utility.

 

Last but not the least; please consider changing passwords for every 60 days. As a good security practice, passwords should be changed as frequently as possible to minimize the attack probability. Of course “Passwords are not forever!”

 

Resources for further reading:

Building secure web applications: https://msdn2.microsoft.com/en-us/library/aa302396.aspx