Credential Management Vulnerabilities
The importance of strong credential management
Passwords are the most commonly-used method by which users authenticate to online accounts, computers and other systems. The reason for the massive adoption of usernames and passwords is that they are simple to understand, operate and use. Since users understand how passwords work and find them easy to use, they are often unwilling to switch to more secure but potentially less transparent and usable alternatives.
One of the challenges associated with secure use of passwords is that it is a symmetric system. A computer or program validates a user’s identity by comparing login credentials provided by the user with a version stored within the application. If these two sets of credentials match, then the user is authenticated and provided access to the system.
Learn Secure Coding
However, this also requires the application to securely store its users’ login credentials. If authentication information is accessible to an attacker, they may be able to use it to access the user’s account and any sensitive data or functionality that it contains.
How credential management goes wrong
Secure credential management can be extremely challenging. Credential storage and processing (in authentication systems) can go wrong in a variety of different ways. In many cases, even a simple error — such as using an insecure cryptographic algorithm or misusing salts in password storage — can render all protections for the user’s credentials useless.
Hardcoded credentials
Hardcoded credentials, where account credentials are embedded in the code of an application or a device’s hardware, are a serious security error. Analysis of the application’s code or data leaks from the manufacturer can result in these credentials becoming publicly known. If these credentials cannot be changed, this leaves an application or device permanently vulnerable.
However, this kind of design error is extremely common, especially in Internet of Things (IoT) devices. For example: the Mirai botnet, which included hundreds of thousands of devices at its peak, compromised IoT devices by attempting to log in remotely with a list of 61 usernames and passwords.
Poor password requirements
The security of authentication systems is based upon the assumption that a user is the only one with knowledge of their account password. If people choose to use weak or reused passwords (as nearly two-thirds of people do), this assumption is invalid.
Implementing a strong password policy within an application can help to alleviate the risks associated with weak passwords. By removing the option to use the passwords most commonly included in cybercriminals’ dictionaries, an application can dramatically increase its users’ security against password-guessing attacks.
Insecure credential storage
Authentication systems are based on matching. The user provides their account credentials and the system compares these with a saved version. If they match, the user is granted access.
However, this makes it necessary for the system to secure the user’s credentials in a secure fashion. Saving plaintext credentials, using an insecure hash function or improperly salting passwords can all make the user’s credentials more vulnerable to attack.
Data leaks
In an authentication system, data leaks can occur for a variety of different reasons. When a user incorrectly authenticates to a system, it may provide an error message specifying that either the username or the password was incorrect. When validating the credentials provided by a user, usernames and passwords that are incorrect in different ways may cause different application runtimes.
All of these data leaks provide an attacker with useful information for attempting to guess a user’s credentials. The knowledge that a username is or is not correct or that the first character of a given password is correctly dramatically decreases the time associated with a brute-force search or dictionary attack.
Securely managing user credentials
Best practices for securely managing user credentials are well-established. Applications should not use hardcoded credentials, require strong user passwords, store user passwords secured by salted hashes or leak data regarding a user’s credentials when processing login requests.
However, many organizations have made mistakes when implementing authentication systems that deal with these sensitive credentials. Not all mistakes exist within the main system, as demonstrated by Facebook’s discovery that it was accidentally storing hundreds of millions of user passwords in plaintext for years.
These mistakes often result in data breaches where cybercriminals are easily able to recover a user’s login credentials and gain access to online accounts. Identifying and correcting common errors is essential to ensuring that authentication systems actually provide the level of security that they are designed to provide.
Learn Secure Coding
Sources
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- Credential Management Vulnerabilities
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding