Credential Management Vulnerabilities
The importance of strong credential management
Passwords are the most commonly-used method by which users authenticate to online accounts, computers and other systems. The reason for the massive adoption of usernames and passwords is that they are simple to understand, operate and use. Since users understand how passwords work and find them easy to use, they are often unwilling to switch to more secure but potentially less transparent and usable alternatives.
One of the challenges associated with secure use of passwords is that it is a symmetric system. A computer or program validates a user’s identity by comparing login credentials provided by the user with a version stored within the application. If these two sets of credentials match, then the user is authenticated and provided access to the system.
However, this also requires the application to securely store its users’ login credentials. If authentication information is accessible to an attacker, they may be able to use it to access the user’s account and any sensitive data or functionality that it contains.
How credential management goes wrong
Secure credential management can be extremely challenging. Credential storage and processing (in authentication systems) can go wrong in a variety of different ways. In many cases, even a simple error — such as using an insecure cryptographic algorithm or misusing salts in password storage — can render all protections for the user’s credentials useless.
Hardcoded credentials, where account credentials are embedded in the code of an application or a device’s hardware, are a serious security error. Analysis of the application’s code or data leaks from the manufacturer can result in these credentials becoming publicly known. If these credentials cannot be changed, this leaves an application or device permanently vulnerable.
However, this kind of design error is extremely common, especially in Internet of Things (IoT) devices. For example: the Mirai botnet, which included hundreds of thousands of devices at its peak, compromised IoT devices by attempting to log in remotely with a list of 61 usernames and passwords.
Poor password requirements
The security of authentication systems is based upon the assumption that a user is the only one with knowledge of their account password. If people choose to use weak or reused passwords (as nearly two-thirds of people do), this assumption is invalid.
Implementing a strong password policy within an application can help to alleviate the risks associated with weak passwords. By removing the option to use the passwords most commonly included in cybercriminals’ dictionaries, an application can dramatically increase its users’ security against password-guessing attacks.
Insecure credential storage
Authentication systems are based on matching. The user provides their account credentials and the system compares these with a saved version. If they match, the user is granted access.
However, this makes it necessary for the system to secure the user’s credentials in a secure fashion. Saving plaintext credentials, using an insecure hash function or improperly salting passwords can all make the user’s credentials more vulnerable to attack.
In an authentication system, data leaks can occur for a variety of different reasons. When a user incorrectly authenticates to a system, it may provide an error message specifying that either the username or the password was incorrect. When validating the credentials provided by a user, usernames and passwords that are incorrect in different ways may cause different application runtimes.
All of these data leaks provide an attacker with useful information for attempting to guess a user’s credentials. The knowledge that a username is or is not correct or that the first character of a given password is correctly dramatically decreases the time associated with a brute-force search or dictionary attack.
Securely managing user credentials
Best practices for securely managing user credentials are well-established. Applications should not use hardcoded credentials, require strong user passwords, store user passwords secured by salted hashes or leak data regarding a user’s credentials when processing login requests.
However, many organizations have made mistakes when implementing authentication systems that deal with these sensitive credentials. Not all mistakes exist within the main system, as demonstrated by Facebook’s discovery that it was accidentally storing hundreds of millions of user passwords in plaintext for years.
These mistakes often result in data breaches where cybercriminals are easily able to recover a user’s login credentials and gain access to online accounts. Identifying and correcting common errors is essential to ensuring that authentication systems actually provide the level of security that they are designed to provide.