Java Reference
In-Depth Information
unauthorized disclosure and keys should also be changed on a periodic basis to provide
an additional measure of security for the encrypted keys.
Hashing for passwords is also a popular practice in Web applications. he following best
◾
practices need to be followed while hashing passwords:
Strong hashing algorithms need to be used for hashing passwords. Consider using SHA-
−
256 or similar to hash passwords.
Strong salts also need to be used to add a greater degree of randomness to the hashed
−
password.
Password expiration is another important security consideration for Web applications.
◾
Password expiry is a process that has been developed to protect against the possibility of
passwords getting leaked over time. In several cases users aren't aware of a compromise of
their systems and as a result an attacker who has a user's password may be able to surrepti-
tiously gain access to the user account and have continued access to sensitive information
and cause greater damage to the organization. Passwords need to be changed periodically
and in case of a suspected compromise of the user account. Administrative users of the
application must be required to change passwords every 45 to 60 days, depending on the
criticality of information and the organization's security policies. Password expiration for
ordinary users of the Web application depends upon the nature of the Web application.
For instance, a user on an Internet forum Web application need not change passwords at
all, as the sensitivity of the information contained in the application is not serious. On the
other hand, users of e-commerce applications and banking applications must be required
to change their passwords either quarterly or biannually. It is also recommended that the
application intimate the user when the date of password change is approaching. his would
ensure that the users are not jolted by the sudden change in the application requiring them
to change their passwords. Like password strength parameters, it is ideal not to hardcode
password expiration parameters in the Web application. Provisions are to be made to ensure
that these parameters may be edited from a set of defaults provided with the deployment of
the Web application. he Web application must provide for a maximum time for the use of
a particular password, after which a password change must be enforced for all the users of
the application.
Password lockouts have become a requirement in today's world of Web application attacks.
◾
Brute-force is one of the popular attack techniques where an attacker keeps trying various
password combinations to try and gain access to the user's account. Password lockouts are
designed to lockout a particular user after a speciic number of invalid attempts. his pre-
vents attackers from continuously attempting brute-force techniques to gain access to the
user's password. he user needs to be able to prove his/her identity to the administrator
before gaining access to the account. he ideal practice for implementation of password
resets is to force the user to answer the password questions set by the user. Once these ques-
tions are answered successfully, new passwords must be generated by the application for the
user and this password must be sent to the user via an out-of-band mechanism like email or
text message. Based on the criticality of the application in question, there may be more than
a single password question. he application should also force the user to change the system-
generated password (provided as the password reset) when the user logs in for the irst time
with the said password.
Password answers are an important aspect of password management for Web application.
◾
Password answers are implemented in Web applications to initiate password resets or when
the user does not remember the password to login to his/her account. he application
Search WWH ::
Custom Search