Secure coding

Credential Management Vulnerabilities

Howard Poston
July 21, 2020 by
Howard Poston

The importance of strong credential management

Passwords are the most commonly-used method by which users authenticate to online accounts, computers and other systems. The reason for the massive adoption of usernames and passwords is that they are simple to understand, operate and use. Since users understand how passwords work and find them easy to use, they are often unwilling to switch to more secure but potentially less transparent and usable alternatives.

One of the challenges associated with secure use of passwords is that it is a symmetric system. A computer or program validates a user’s identity by comparing login credentials provided by the user with a version stored within the application. If these two sets of credentials match, then the user is authenticated and provided access to the system.

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

However, this also requires the application to securely store its users’ login credentials. If authentication information is accessible to an attacker, they may be able to use it to access the user’s account and any sensitive data or functionality that it contains.

How credential management goes wrong

Secure credential management can be extremely challenging. Credential storage and processing (in authentication systems) can go wrong in a variety of different ways. In many cases, even a simple error — such as using an insecure cryptographic algorithm or misusing salts in password storage — can render all protections for the user’s credentials useless.

Hardcoded credentials

Hardcoded credentials, where account credentials are embedded in the code of an application or a device’s hardware, are a serious security error. Analysis of the application’s code or data leaks from the manufacturer can result in these credentials becoming publicly known. If these credentials cannot be changed, this leaves an application or device permanently vulnerable.

However, this kind of design error is extremely common, especially in Internet of Things (IoT) devices. For example: the Mirai botnet, which included hundreds of thousands of devices at its peak, compromised IoT devices by attempting to log in remotely with a list of 61 usernames and passwords.

Poor password requirements

The security of authentication systems is based upon the assumption that a user is the only one with knowledge of their account password. If people choose to use weak or reused passwords (as nearly two-thirds of people do), this assumption is invalid.

Implementing a strong password policy within an application can help to alleviate the risks associated with weak passwords. By removing the option to use the passwords most commonly included in cybercriminals’ dictionaries, an application can dramatically increase its users’ security against password-guessing attacks.

Insecure credential storage

Authentication systems are based on matching. The user provides their account credentials and the system compares these with a saved version. If they match, the user is granted access.

However, this makes it necessary for the system to secure the user’s credentials in a secure fashion. Saving plaintext credentials, using an insecure hash function or improperly salting passwords can all make the user’s credentials more vulnerable to attack.

Data leaks

In an authentication system, data leaks can occur for a variety of different reasons. When a user incorrectly authenticates to a system, it may provide an error message specifying that either the username or the password was incorrect. When validating the credentials provided by a user, usernames and passwords that are incorrect in different ways may cause different application runtimes.

All of these data leaks provide an attacker with useful information for attempting to guess a user’s credentials. The knowledge that a username is or is not correct or that the first character of a given password is correctly dramatically decreases the time associated with a brute-force search or dictionary attack.

Securely managing user credentials

Best practices for securely managing user credentials are well-established. Applications should not use hardcoded credentials, require strong user passwords, store user passwords secured by salted hashes or leak data regarding a user’s credentials when processing login requests.

However, many organizations have made mistakes when implementing authentication systems that deal with these sensitive credentials. Not all mistakes exist within the main system, as demonstrated by Facebook’s discovery that it was accidentally storing hundreds of millions of user passwords in plaintext for years.

These mistakes often result in data breaches where cybercriminals are easily able to recover a user’s login credentials and gain access to online accounts. Identifying and correcting common errors is essential to ensuring that authentication systems actually provide the level of security that they are designed to provide.

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

 

Sources

  1. Here are the 61 passwords that powered the Mirai IoT botnet, CSO
  2. The password reuse problem is a ticking time bomb, Help Net Security
  3. Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years, Krebs on Security
Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.