Security Questions and password security in Web Applications

-

Security questions:

Today almost every web application uses security questions to identify the user, especially when the user forgets password. 

 However these security questions pose a major security risk, if they are not properly thought of. Most of the times we come across simple questions like 'In which city you were born' ,'What is your favorite movie' etc. 
Nowadays there is so much information on social networking sites, that a little research will give us all the information needed. Information on favorite movie/actress etc, can be mined by following the 'likes' the user has clicked.

 The questions have to be smart enough to avoid questions on events which occurred in the person's life, and also avoid questions on person's taste and likes. 

 Rather, the questions should evoke answers (sometimes strange) which cannot be guessed. How about these questions:

  1.  'Name a city which you never visited', (definitely this will have a larger answer set)
  2.  'Mention a name which you consider very funny' (few people can hack names like 'hay focker' P.S pun intended)

Password Rules:

Also, the application should have strict password rules to defeat dictionary attacks. The user should be forced to enter alphanumeric and special characters. 

The  application should maintain a list of black listed passwords. It should not accept black listed passwords like 'welcome 123','password 123'. A recent survey has shown that these two are most used passwords. The black list should be updated regularly based on industry findings. 

Password Storage:

The passwords should be stored as one way hash (instead of encrypting) which makes it difficult to retrieve the password. 
You might have read about instances, where in, hackers post all the passwords online after hacking the database. This wouldn't have happened if the passwords were stored as one way hash. SHA-2 is the latest algorithm for hashing. 
We can apply a strongly generated salt to the algorithm and also we can generate hash of hash, some N number of times in order to prevent a brute force attack.




























Comments

Post a Comment

Popular posts from this blog

Pivotal Cloud Foundry (PCF) Integration with Elastic Cloud Storage (ECS)

-
Recently, I was involved in integrating Pivotal Cloud Foundry with Elastic Cloud Storage (ECS), an object storage solution from EMC. In this post, I'm going to document the hiccups we faced during this integration and how did we resolve this, so that it is easier for other folks who would like to carry out this integration. References: We followed the blog post, https://blog.codedellemc.com/2016/01/05/emc-ecs-with-cloud-foundry/ and the service broker code from git hub, https://github.com/spiegela/ecs-cf-service-broker .  1. application.yml file Configuration: First task would be to update the application.yml file in the broker code to have the correct configuration. Note the spring profiles created in yml file. The active spring profile is defined in the build.gradle file to be 'development'. So based on that, we need to update the correct section in the yml file. Under the broker section: a) Provide a valid ECS namespace name (The namespa
Read more

Restful code example using Spring MVC

-
In my previous blog, I talked about Restful webservices design. In this blog, I will provide sample code for the same using Spring MVC framework. Spring MVC 3.x supports annotation based controllers, which are Restful in nature.  Let us create a sample Spring web application for performing CRUD on User entity. Creating project: Create a Maven project with a archetype 'maven-archetype-webapp'. pom.xml <!-- version property --> <properties> <spring.version>3.1.2.RELEASE</spring.version> </properties> <!-- servlet dependency for compilation --> <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <version>2.5</version> <type>jar</type> <scope>compile</scope> </dependency> <!-- Spring MVC dependencies --> <dependency> <groupId>org.springframework</groupId> <artifactId&
Read more

Spring Integration - Bulk processing Example

-
Image
In this post, I'm going to share my experience in using Spring Integration for a bulk processing task. This was the first time I was using Spring Integration and it did not disappoint me. It was pretty robust in terms of error handling and definitely scalable. Disclaimer: The actual task being performed has been modified into a fictitious e – commerce domain task, since I cannot reveal the original task which is customer specific and confidential. However, the nature of the task in terms of processing of clob and xml remain the same and the complexity of the original task has been retained. Also, the views posted on this post are strictly personal. Objective: The objective is to work upon customer information from an ecommerce application and process it and save it into database as clob data. The task is to perform data processing by reading xml from a file in the file system and then store it as clob into a table. Following is the high level of tasks required t
Read more