Authentication weaknesses

Ah, the good 'ole login screen. Is any secure system complete without one? Whether it's a Web site login screen or a Unix login prompt, most systems' security relies solely on a valid userID and password to prove one's identity. Since this is usually the only access requirement, it's worth putting your authentication system under the magnifying glass to see just how well it holds up to a curious hacker.

It's extremely common for hackers to try to brute force their way into a system by guessing commonly used userIDs and passwords. You should avoid using "admin," "test," "user" and any default userIDs. Common passwords to avoid are the userID, "password," "pass" and any default passwords. Some systems make it easy for a user to discover a valid userID, displaying a message when a logon failure occurs. Such messages may say, "Invalid userID," telling the hacker that they should keep guessing userIDs. When a valid userID is found, they may then be shown another revealing message, such as, "Invalid password." Ideally, a system's logon failure message should be generic, such as, "Invalid userID or password," regardless of the reason for failure. Otherwise, the hacker could enumerate a valid userID and start guessing passwords, looking for a weak one, which brings us to the next item.

Weak passwords are often the weakest link in most authentication systems. If at all possible, enforce password rules for every system on your network, especially for systems at the network border. Password and account rules should at least require a mix of letters and numbers, and should specify a minimum password length, password history, account lockout and password expiration. If possible, set password rules that do not allow a password to be the same as the userID or the user's first or last name, as these are easy to guess. The goal is to force users to choose strong passwords.

Guide to Network Security
This guide introduces you to the main components in whole network security. You'll find articles, tutorials, tips, tools, white papers and more to pump up your network security quickly.

Products of the Year 2004: Network security devices and tools
Tip: When it comes to enterprise networks, security is our top concern. Find out which new security devices and tools can make your life easier.

To really beef up your authentication mechanism, you should enforce a two- or three-factor authentication system. Multifactor authentication means there are at least two different types of credentials that must be submitted to be authenticated. There are three categories of authentication factors: something you have, something you know and something you are. Each factor in the authentication mechanism should be from a different category than the others. In other words, a userID and password is still one-factor authentication since both pieces are something you know. Some valid combinations would be a key-fob token and a PIN, a thumbprint and a password or a retina scanner and your voice.

By improving your authentication mechanisms you are making it very tough for hackers to brute force their way into your systems. With the exception of multi-factor authentication systems, the above recommendations should not cost much, if anything, to implement.

About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.

This tip originally appeared on our sister site, SearchSecurity.com.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in Security across network boundaries with Secure Mobile Architecture USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments VPN security: Hiding in plain sight, using network encryption Network Security Monitoring Networking data visualization not just for pointy-headed bosses Visual Security Analysis -- 'Applied Security Visualization,' Chapter 5 SIEM platform secures university's open network Network forensics appliance gets storage boost and 10 GbE support Tracking NetFlow over MPLS helps airline with compliance Securing the new network architecture: Security for distributed, dynamic networks When it comes to data loss prevention, networking should be part of the conversation What is data loss prevention? -- An introduction to DLP What are the best methods for handling rogue access points? Internet monitoring vendor adds throttling, filtering, to its appliance RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.