Java Reference
In-Depth Information
authenticating users into the system. Usernames and passwords are sometimes also used in con-
junction with other factors of authentication like secure tokens or biometrics.
A username or a user ID is a unique identity given to every user in the system. he username/
user ID is critical for identiication, because by providing the username/user ID, the user proves
his identity to the system and that such a user actually exists as a legitimate user on the system.
he password is the authentication mechanism where, upon the entry of the right password, the
system understands that a particular user, who has identiied himself/herself with a username, has
also provided evidence of the fact that he/she is actually the user who he/she claims to be because
he/she has provided the system with information only the user could possess. However, there are
several other considerations that need to be kept in mind while developing a strong authentication
system for a Web application. hey are as follows:
◾
It is imperative that unique usernames be provided to each and every user of the Web
application. Unique usernames are required to establish the identity of a user performing a
certain action. If people share username and password credentials, then there is no way of
tracing a breach to a particular individual (lack of accountability). he only way of iden-
tifying user actions or tracing anomalies and breaches to speciic individuals is through
the creation of user credentials for all the users of the system. his is especially dangerous
in case of administrative users of a Web application, as they can gain access to sensitive
information and not be held responsible for their actions because of the shared user cre-
dentials. Web applications should be implemented to ensure that shared user credentials
are not allowed and that users are appropriately bound to their roles to ensure appropriate
authorization controls.
Passwords of all users need to be of a certain strength and complexity. It is seen that poor
◾
passwords are easily guessed by hackers or by adopting brute-force techniques against Web
applications to gain access to user accounts. It is seen that several users have easily guessable
passwords like
123456
or
jesus
or
admin
or
password,
which can easily be guessed by attack-
ers who are looking to break into user accounts. Short or noncomplex passwords are also
more susceptible to password cracking. he ideal password strength for Web applications
is a length of eight characters consisting of uppercase and lowercase letters and numeric
characters as well as special characters. he Web application must be developed to enforce
password strength and complexity requirements for all the users of the application. It is
recommended to not hardcode password complexity requirements into the Web application
as it would be inlexible for the users and administrators to change parameters as and when
necessary. he password complexity requirements along with other password management
parameters may be included in a separate ile or as part of an administrative interface, which
can be customized by the administrators of the application.
Passwords should be protected when stored by the Web application in a database or in a ile.
◾
Chapter 8 deals with protection techniques for sensitive information extensively. Passwords
may be encrypted or hashed as per the security requirements. If passwords are encrypted,
then the following practices must be followed:
Strong encryption algorithms must be used to encrypt and decrypt passwords.
−
−
Keys for encryption and decryption should be strong. he ideal implementation for keys
is to generate strong keys from a key management application or API.
Key management practices need to be followed to ensure that keys are used to protect
−
sensitive information like passwords. Encryption keys need to be protected against any
Search WWH ::
Custom Search