Design Flaws in Authentication Mechanisms

Authentication functionality is subject to more design weaknesses than any

other security mechanism commonly employed in web applications. Even in

the apparently simple, standard model where an application authenticates

users based on their username and password, shortcomings in the design of

this model can leave the application highly vulnerable to unauthorized access.

Many web applications employ no or minimal controls over the quality of

users’ passwords. It is common to encounter applications that allow pass-

words that are:

■■

Very short or blank

Common dictionary words or names

■■

Set to the same as the username

Still set to a default value

Figure 6-1 shows an example of weak password quality rules. End users

typically display little awareness of security issues. Hence, it is highly likely

that an application that does not enforce strong password standards will con-