Scribd
Upload
8 views1 page

First Page PDF

This chapter discusses the vulnerabilities associated with password-based authentication, highlighting the ease with which passwords can be compromised through various attacks, such as phishing. It emphasizes the challenges faced by both users and web applications in maintaining password security and the need for effective countermeasures. The chapter also references a notable incident involving the exposure of thousands of Hotmail accounts due to inadequate password protection practices.

Uploaded by

sandrascott09987
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views1 page

First Page PDF

This chapter discusses the vulnerabilities associated with password-based authentication, highlighting the ease with which passwords can be compromised through various attacks, such as phishing. It emphasizes the challenges faced by both users and web applications in maintaining password security and the need for effective countermeasures. The chapter also references a notable incident involving the exposure of thousands of Hotmail accounts due to inadequate password protection practices.

Uploaded by

sandrascott09987
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

CHAPTER

Breaking Authentication
Schemes
5
INFORMATION IN THIS CHAPTER:
• Understanding the Attacks
• Employing Countermeasures

Passwords remain the most common way for a web site to have users prove their
identity. If you know an account’s password, then you must be the owner of the
account—so the assumption goes. Passwords represent a necessary evil of web secu-
rity. They are necessary, of course, to make sure that our accounts cannot be accessed
without this confidential knowledge. Yet the practice of passwords illuminates the
fundamentally insecure nature of the human way of thinking. Passwords can be easy
to guess, they might not be changed for years, they might be shared among dozens of
web sites (some secure, some with gaping SQL injection vulnerabilities), they might
even be written on slips of paper stuffed into a desk drawer or slid under a keyboard.
Keeping a password secret requires diligence in the web application and on the part
of the user. Passwords are a headache because the application cannot control what its
users do with them.
In October 2009 a file containing the passwords for over 10,000 Hotmail accounts
was discovered on a file-sharing web site followed shortly by a list of 20,000 creden-
tials for other web sites (http://news.bbc.co.uk/2/hi/technology/8292928.stm). The
lists were not even complete. They appeared to be from attacks that had targeted
Spanish-speaking users. While 10,000 accounts may seem like a large pool of vic-
tims, the number could be even greater because the file only provides a glimpse into
one set of results. The passwords were likely collected by phishing attacks—attacks
that trick users into revealing their username and password to people pretending to
represent a legitimate web site. Throughout this book we discuss how web site devel-
opers can protect their application and their users from attackers. If users are willing
to give away their passwords (whether being duped by a convincing impersonation
or simply making a mistake), how is the web site supposed to protect its users from
themselves?
To obtain a password is the primary goal of many attackers flooding e-mail with
spam and faked security warnings. Obtaining a password isn’t the only way into a
Hacking Web Apps. http://dx.doi.org/10.1016/B978-1-59-749951-4.00005-9
© 2012 Elsevier, Inc. All rights reserved.
141

You might also like