Defining authentication system security weaknesses to combat hackers

It's extremely common for hackers to try to brute-force their way into a system by guessing commonly used user IDs and passwords. It's a best practice to avoid using "admin," "test," "user" and any default user IDs. Common passwords to avoid are the user ID, "password," "pass" and any default passwords. Some systems make it easy for a user to discover a valid user ID, displaying a message when a logon failure occurs. Such messages may say, "Invalid user ID," telling the hacker that he or she should keep guessing user IDs. When a valid user ID is found, a malicious hacker may then be shown another revealing message, such as, "Invalid password." Ideally, a system's logon failure message should be generic, such as, "Invalid user ID or password," regardless of the reason for failure. Otherwise, the hacker could enumerate a valid user ID and start guessing passwords, looking for a weak one, which brings us to the next point.

Weak passwords are a significant authentication system security weakness. If at all possible, enforce password rules for every system on the network, especially for systems at the network border. Password and account rules sho...

To really beef up your authentication mechanism, you should enforce a two- or three-factor authentication system. Multifactor authentication means at least two different types of credentials must be submitted for a user to be authenticated. There are three categories of authentication factors: something you have, something you know and something you are. Each factor in the authentication mechanism should be from a different category than the others. In other words, a user ID and password is still one-factor authentication, since both pieces are something you know. Some valid combinations would be a key fob token and a PIN, a thumbprint and a password or a retina scanner and your voice.

By improving your authentication mechanisms you are making it tougher for hackers to brute-force their way into your systems. With the exception of multifactor authentication systems, the above recommendations should not cost much, if anything, to implement.

About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Hacker Tools and Techniques: Underground Sites and Hacking Groups,   Information Security Threats,   Emerging Information Security Threats,   Two-Factor and Multifactor Authentication Strategies,   Enterprise Identity and Access Management,   User Authentication Services,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Hacker Tools and Techniques: Underground Sites and Hacking Groups Russian cybercriminals target H1N1 Swine Flu fears Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam Emerging Information Security Threats Best practices for (small) botnets Cybersecurity grant to fund research into critical infrastructure threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers US-CERT warns of BlackBerry snooping software Researchers find thousands of flawed embedded devices Two-Factor and Multifactor Authentication Strategies Two-factor authentication, vigilance foil password theft Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products Are 'strong authentication' methods strong enough for compliance? PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary black hat  (SearchSecurity.com) cracker  (SearchSecurity.com) cyberextortion  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) Echelon  (SearchSecurity.com) hacker  (SearchSecurity.com) man in the middle attack  (SearchSecurity.com) van Eck phreaking  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.