Problem solve Get help with specific problems with your technologies, process and projects.

Defining authentication system security weaknesses to combat hackers

This installment in our primer series focuses on hardening network access and authentication system security to combat hacker attacks.

Ah, the good 'ol login screen. Is any secure system complete without one? Whether it's a website login screen or a Unix login prompt, most systems' security relies solely on a valid user ID and password to prove one's identity. Since this is usually the only access requirement, it's worth putting your authentication system security practices under a magnifying glass to uncover any authentication weaknesses and see just how well they hold up to a curious hacker.

It's extremely common for hackers to try to brute-force their way into a system by guessing commonly used user IDs and passwords. It's a best practice to avoid using "admin," "test," "user" and any default user IDs. Common passwords to avoid are the user ID, "password," "pass" and any default passwords. Some systems make it easy for a user to discover a valid user ID, displaying a message when a logon failure occurs. Such messages may say, "Invalid user ID," telling the hacker that he or she should keep guessing user IDs. When a valid user ID is found, a malicious hacker may then be shown another revealing message, such as, "Invalid password." Ideally, a system's logon failure message should be generic, such as, "Invalid user ID or password," regardless of the reason for failure. Otherwise, the hacker could enumerate a valid user ID and start guessing passwords, looking for a weak one, which brings us to the next point.

Weak passwords are a significant authentication system security weakness. If at all possible, enforce password rules for every system on the network, especially for systems at the network border. Password and account rules should at least require a mix of letters and numbers, and should specify a minimum password length, password history, account lockout and password expiration. If possible, set password rules that do not allow a password to be the same as the user ID or the user's first or last name, as these are easy to guess. The goal is to force users to choose strong passwords.

To really beef up your authentication mechanism, you should enforce a two- or three-factor authentication system. Multifactor authentication means at least two different types of credentials must be submitted for a user to be authenticated. There are three categories of authentication factors: something you have, something you know and something you are. Each factor in the authentication mechanism should be from a different category than the others. In other words, a user ID and password is still one-factor authentication, since both pieces are something you know. Some valid combinations would be a key fob token and a PIN, a thumbprint and a password or a retina scanner and your voice.

By improving your authentication mechanisms you are making it tougher for hackers to brute-force their way into your systems. With the exception of multifactor authentication systems, the above recommendations should not cost much, if anything, to implement.

About the author
Vernon Haberstetzer, president of security seminar and consulting company, has seven years of in-the-trenches security experience in healthcare and retail environments.



  Introduction: Hacker attack tactics
 How to stop hacker theft
  Hacker system fingerprinting, probing
  Using network intrusion detection tools
  Avoid physical security threats
  Authentication system security weaknesses
  Improve your access request process
  Social engineering hacker attack tactics
  Secure remote access points
 Securing your Web sever
  Wireless security basics
  How to tell if you've been hacked


This was last published in February 2005

Dig Deeper on Hacker tools and techniques: Underground hacking sites