Typically when we think of Web security testing vulnerabilities such as SQL injection, cross-site scripting and so on come to mind. Rightly so, the flaws resulting from poor input validation alone are still a large part of the problem. But there’s another Web security vulnerability that doesn’t get as much attention – often none at all. It’s testing for weak passwords.
Overall Web security is only as good as the weakest link in the system and a blank, default, or otherwise easy to guess password is all it takes to break down the walls. And the reality is many password cracking attempts go unnoticed, especially when they’re carried out over SSL and intruder lockout is not enabled. Furthermore, without multifactor authentication it’s virtually impossible to distinguish legitimate logins from unauthorized ones. Once the bad guys obtain legitimate login credentials, it’s not just an access control issue – accountability’s out the window as well.
The thing is we make a lot of assumptions about passwords:
• Users will do what’s right and select reasonable passwords, not share them among sites/applications and look out for the best interest of the business
• Developers of a Web site/application have taken reasonable steps to enforce strong passwords
• Password cracking attempts will be detected by the firewall or IPS or intruder lockout will kick-in and lock things down
• What is there to lose – we don’t have anything the bad guys would want anyway
All short-sighted and dangerous ways of thinking that affect Web security for all of us.
I think we need to step things up in this arena because I suspect the problem of weak passwords is much more widespread than we believe it is. If the findings from the analysis of the 10,000 leaked Hotmail passwords is not enough I don’t know what is. The good thing is there are tools that can help. Acunetix Web Vulnerability Scanner has good password testing capabilities. There are alternatives from other vendors and freeware/open source developers (i.e. Brutus and others) as well.
The problem, however, is that I still don’t believe password testing tools are where they need to be given what’s at stake. Most tools perform dictionary-based cracking which, to me, is very limited. It’s time-consuming and provides a false sense of security – even when using a comprehensive dictionary like the “BlackKnight List” floating around the Web.
The best thing to do is keep people from ever being able to create weak passwords in the first place. That sounds great but we’re far from reaching that state. For now, it’s up to those of us performing Web security assessments and audits to make sure things are in check. There’s no way to know for sure if every possible weak password has been tested for but my fingers are crossed that testing tools will continue to evolve and be able to help us a lot more in the near future.