Protecting user passwords: security techniques and penetration testing
High-profile data breaches continue to hit the headlines. However, you may be surprised to know that most of the attacks do not take a lot of time or efforts. Weak passwords provide abusers with a lot of opportunities.
If you are involved in the development of a software product that implies usage of some personal data, this post is just for you. It is prepared by the a1qa Security Testing Center of Excellence engineers. After you finish reading it, you’ll learn:
- Strong passwords – what are they?
- What techniques can be implemented to increase the security of user accounts?
- Can software testers detect security flaws before the real attackers do and eliminate them?
3 ways attackers steal passwords
Before talking about securing passwords, let’s list the ways the attacker may take to steal them. Generally, the password can be stolen directly from a user, from the service, or on its way from the client to the service.
Today, we’ll focus on the first option only as it is related to the password security, while two others deal with the web app vulnerabilities and the likelihood of the password being stolen has nothing to do with the password complexity.
So how can attackers break in?
- Performing brute force attacks. Surprisingly, but most of the passwords can be guessed within a specific number of tries. By resorting to this method, hackers will use special tools to enter the password over and over again until it’s cracked. This hacking method is the easiest and least sophisticated.
- Another option is to employ social engineering techniques to learn the user’s credentials, as the human weakness is much easier to penetrate than the network vulnerabilities. This method is more sophisticated and requires psychological skills from the hacker to sound trustworthy and make the victim reveal the data.
- Also the attacker can peep the password at the victim’s working station, install the keylogger to monitor and register all keystrokes typed or simply find a sticker with the password.
You see it’s not that difficult to learn the password if you want to.
Password protection techniques
If the hacker prefers one of the two latter options, the dev team won’t be able to do anything to stop them. However, the first method can be prevented by implementing certain techniques at the software development stage.
Let’s name a few:
- Implement CAPTCHA to prevent bots from automating logging and prove there is a human performing an action.
- Require two-factor authentication with the help of other devices. For example, a user may be asked to enter the code received in an SMS. Another option is to generate a one-time password that will be valid for only one session or transaction.
- You can also restrict a user after several unsuccessful login attempts. However, make sure you won’t block the user forever, just for some period of time.
- Add controls to password minimum length and complexity.
- Ideal password length is 8-12 symbols.
- Make sure your users know that the password may incorporate numbers, Latin characters and special symbols ($, ?, !, <, ”, #, %, @, etc.).
- The combination of number and letters (upper- and lower-case) is reasonable and reliable.
It’s NOT recommended to use:
- Words that can be found in the dictionary as password-cracking tools
- Adjacent keyboard combinations like qwerty, 123456789, qazxsw are also trivial to crack.
- Personal data (first or last name, birth date, passport number, etc.) and also passwords from other services.
Inform your users that it’s also important to make a password that will be not difficult to remember. Most people tend to write long passwords down and stick it to the monitor, which increases the risk of the password being stolen.
You can also develop built-in notifications to remember your users to change the password once in every 90 days, for example.
Also, think about the actions that a user should take if his/her password has been stolen or he/she believes it has been.
What happens if there are no security techniques implemented: a real-world example
If there are any vulnerabilities in the security mechanisms, the abuser who has enough time and desire to get the password will make use of this vulnerability and sooner or later succeed. Getting access to the web site admin panel will enable the abuser to change the web site content.
In one of the projects our engineers were testing the mobile app. The app had a two-factor authentication and the user had to enter his phone number, get a code in an SMS and enter the 4-digit code to log in.
The first things the a1qa engineers paid attention to was that the code was made up of 4 digits, which gave them (and abusers) only 10000 of possible combinations to crack the password.
To make things worse, there was an error in the authentication process: the server didn’t block users after any number of unsuccessful login attempts.
Cracking the password with the specially developed script took our engineers only 15 minutes!
Penetration testing is a vital part of any effective security strategy
Pen testing allows to assess the security level of the system by running simulated attacks to detect possible entries for the abusers.
Professional pen testing process involves several stages.
At the very beginning, security testing engineers collect all information they can about the victim/client: names, emails, children names, nicknames in social media accounts, etc. Based on this information, dictionaries for password cracking are generated and used to crack passwords.
Social engineering emails, calls, face-to-face contact and other tests on people can be performed to ascertain if they are susceptible to an attack.
When to perform pen testing?
Penetration testing should start only after the application is ready and a full functionality test is completed.
Pen testing results:
- Independent assessment of the system security level
- Detection of all security weaknesses
- List of recommendations to improve with the estimation of time and costs they will take to enable.
Is your users’ data secured? If you have any doubts, set up an obligation-free consultation with the a1qa security testing specialists.