OWASP Top 10 Part 2: Broken Authentication
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> OWASP Top 10, number 2, broken authentication.
00:00
In this lesson we're going to talk about
00:00
>> the risks associated with broken authentication,
00:00
>> the impact of broken authentication, and methods
00:00
>> to prevent broken authentication vulnerabilities.
00:00
>> What is broken authentication?
00:00
Well, we've already talked about
00:00
the identity, authorization,
00:00
and authentication process
00:00
>> when it comes to web applications in general
00:00
>> from a theoretical perspective.
00:00
>> But because logging in
00:00
and having an identity validated
00:00
>> and authorized is such a ubiquitous part of logging
00:00
>> to web applications
00:00
>> and using them in the Cloud,
00:00
>> attackers are trying to subvert
00:00
>> that mechanism for authenticating a user.
00:00
>> There are many different ways that this can happen.
00:00
Well, first and foremost is,
00:00
the Internet has been around for long enough
00:00
>> that there are millions of potential username
00:00
>> and password combinations that are out there.
00:00
>> They can be oftentimes purchased by threat actors.
00:00
The use of these potentially valid credentials
00:00
to attack websites and try to find a valid login,
00:00
this is a process called credential stuffing.
00:00
One of the problems with this is that,
00:00
if you do not rotate your password
00:00
sufficiently especially given the nature
00:00
of how many breaches occur,
00:00
it's more than likely you may
00:00
still have a valid password out there,
00:00
especially for people
00:00
>> who aren't particularly computer savvy.
00:00
>> Besides this,
00:00
if the authentication mechanism
00:00
isn't properly configured,
00:00
there're a number of a whole host
00:00
of attacks that can work.
00:00
For instance, a dictionary attack is
00:00
using very common words or phrases within
00:00
the dictionary to brute
00:00
or try in different username and password combinations.
00:00
Another problem with the configuration
00:00
that sometimes enables broken authentication is that,
00:00
if you don't put a number of limits on
00:00
how many username password combinations can be put in,
00:00
an attacker can use various brute false algorithms
00:00
that literally just use computational power
00:00
>> to try various username password combinations
00:00
>> over and over again until they identify a correct one.
00:00
Another common thing that
00:00
results in broken authentication is that
00:00
>> if default account usernames
00:00
>> and passwords are used,
00:00
>> those are often some of the first that are tried
00:00
and are also usually
00:00
contained in many dictionary attacks.
00:00
An attacker will gain recognizance on the system,
00:00
identify what underlying applications
00:00
or services may be running,
00:00
and will try those default username and passwords.
00:00
We've talked about tokens,
00:00
that it's a piece of code
00:00
>> that's used to represent something
00:00
>> and is often used in an authentication
00:00
>> or authorization context
00:00
>> to represent a user's validated identity.
00:00
If those tokens don't expire once the session ends,
00:00
they can be ascertained by threat actors
00:00
>> who can use them to impersonate
00:00
>> valid users and gain authentication.
00:00
Now, how do we really prevent this?
00:00
Well, first, MFA, multifactor authentication.
00:00
We've talked about how using multiple factors
00:00
>> can add an extra layer of security
00:00
>> to any identification and authentication process.
00:00
>> Then naturally, if default accounts are some of those
00:00
>> that are most often tried by threat actors,
00:00
>> you want to immediately remove those passwords.
00:00
Then when it comes to the passwords themselves,
00:00
you can check against the strength of a password.
00:00
You may see this online often,
00:00
and it will give you a rating whether
00:00
your password is weak or strong.
00:00
The longer the password,
00:00
the stronger it's going to be.
00:00
Also, the less the further away it is
00:00
>> from a common dictionary word,
00:00
>> the stronger your password is going to be.
00:00
One of the other key things to limit
00:00
>> the effectiveness of bruteforce attack
00:00
>> is to impose limits on failed logins.
00:00
>> If a system is configured in a way that enables
00:00
an attacker to try over and over again,
00:00
it's could just increase the likelihood
00:00
that their bruteforce efforts may work ultimately
00:00
>> to result in broken authentication.
00:00
>> But by imposing limits
00:00
>> and also creating alerts
00:00
>> when it comes to failed logins,
00:00
>> which we'll cover more later,
00:00
you stand a better chance of identifying
00:00
>> and preventing broken authentications
00:00
>> from being successful.
00:00
>> Quiz question, when an attacker
00:00
>> has a potentially valid list of usernames
00:00
>> and passwords to use against the system,
00:00
>> we call this one, valid list attack
00:00
two, credential stuffing,
00:00
>> or three, a rainbow table.
00:00
>> If you said credential stuffing, that's correct.
00:00
Most people who have been out on the Internet
00:00
>> and done any shopping have had
00:00
>> compromised credentials at some point in time.
00:00
That's why as I said, it's really essential
00:00
to rotate your usernames and passwords,
00:00
never use the same username
00:00
and password combination for sites,
00:00
and really make sure to use strong, long,
00:00
and complex, and not easily
00:00
guessable passwords when it comes to critical websites.
00:00
In summary, we talked about broken authentication.
00:00
We talked about the security impact of the exploit
00:00
>> namely that someone thought after can get around,
00:00
>> subvert the typical identity access management process
00:00
and impersonated user
00:00
and to act as them on the system
00:00
>> or exfiltrate data or execute commands.
00:00
>> It may just be the first stage of the attack.
00:00
Then we talked about the methods used
00:00
to address the exploit.
00:00
multifactor authentication,
00:00
disabling default accounts and passwords,
00:00
really checking whether
00:00
>> or not weak passwords are in place,
00:00
>> and then also putting that limits on
00:00
the number of failed logins to stop bruteforce attacks.
00:00
Well, we have more vulnerabilities to go.
00:00
I'll see you in the next lesson.
Up Next
Instructed By
Similar Content
