Chapter 6  ■ Attacking Authentication

vulnerabilities within the application that may be used to steal stored

credentials (see Chapter 12).

■■

A password change facility should be implemented (see the “Prevent

Misuse of the Password Change Function” section), and users should

be obliged to change their password periodically.

■■

Where credentials for new accounts are distributed to users out-of-

band, these should be sent as securely as possible, be time-limited, and

require the user to change them on first login, and the user should be

told to destroy the communication after first use.

■■

Where applicable, consider capturing some of the user’s login informa-

tion (for example, single letters from a memorable word) using drop-

down menus rather than text fields. This will prevent any keyloggers

installed on the user’s computer from capturing all of the data they

submit. (Note, however, that a simple keylogger is only one means by

which an attacker can capture user input. If he or she has already com-

promised a user’s computer, then in principle an attacker can log every

type of event, including mouse movements, form submissions over

HTTPS, and screen captures.)

Download 5,76 Mb.

Do'stlaringiz bilan baham: