Java Reference
In-Depth Information
prompts the user to enter password questions and answers to those questions that the user
can remember during the time of password reset. It is important that the questions be of a
personal nature. For instance, “What is the name of your favorite restaurant?” may be a bet-
ter question for a password reset than “What is the name of your high school?” as the latter
would probably be a better-known fact. Password questions and password answers should
also be encrypted or hashed when stored, and all the key management and hashing best
practices applicable to stored passwords should also apply to password answers.
Password history is also a security functionality that is to be built with the same objective
◾
as password expiration. Password history is a feature where a user cannot use the same pass-
word that he/she has used on the previous occasion while a password is being changed. For
instance, Bob needs to change his password to access his banking application. he banking
application enforces a password history of four passwords. Bob's last four passwords were
DjAck@l*321, InDiAnAj0neS^321, st@Rw@rs#1985, bLAdeRuNNeR@121. As the bank-
ing application has enforced password history of four passwords, Bob will not be allowed
to use the same passwords he has used when prompted to change his password at this time.
Password history is enforced for the same reason as password expiration. It is assumed that
passwords are disclosed over time and usage of the same passwords might result in a breach
of access control.
he “Remember Me” Password feature for Web applications is also a possible security vul-
◾
nerability, using which user accounts could be compromised. he Remember Me feature is
used to identify returning users accessing the Web application from their personal comput-
ers. he application does not ask the user to enter his/her credentials repeatedly if the user
has checked the Remember Me feature. However, certain nonsecure practices have given
rise to several attacks against this feature. First, the password should not be cached in the
browser. his is a dangerous practice, especially in public computers, as attackers can easily
access the cache and gain access to user passwords stored in the cache. he password ield
in HTML should always be set to AUTOCOMPLETE of to ensure that passwords are
not recorded in the browser's cache. Another area of concern in terms of the Remember
Me feature is the fact that the application stores a cookie in the user's system. In case of a
vulnerable Web application, the cookie stores the password in cleartext, thereby making it
extremely simple for an attacker to access the cookie stored by the application and gets the
user's password. If the password is stored in cookie for the Remember Me feature, it must
be ensured that the password is hashed with strong hashes. he hashing practices deployed
for this implementation are the same as those that should be adopted for secure storage of
passwords. Highly critical applications like banking applications and stock trading applica-
tions should not have Remember Me functionality.
7.2.3 Session—Maintaining a Secure State for Web Applications
Session management is an important aspect of Web applications. Session identiiers are used to
keep track of user activities across the Web application. Improper session management has also
resulted in some powerful attacks on Web application access control, resulting in security breaches
afecting sensitive information of a Web application. here are several practices that need to be
adopted to develop secure session management capability for Web applications:
◾
he strength of session identiiers is a critical consideration for secure session management.
Insecure session identiiers have resulted in session hijacking attacks, where the attackers
Search WWH ::
Custom Search