Watch your door.-Ensure the security of the authentication mechanism (5)-Prevent misuse of password modification and password retrieval

Source: Internet
Author: User

The first thing to declare is that this article is purely an ignorant view of a little developer without foresight and knowledge, and is intended only for reference in Web system security.

1. Prerequisites

Implementing a secure authentication mechanism not only meets several key security goals at the same time, but also at the expense of other goals. such as ease of use, cost, and functionality.

2, the basic requirements to prevent misuse of password modification

Some basic requirements, written down, can also be consulted later.
1. Add a simple picture verification code, basically ensure that the person is operating, not the machine;
2. This feature can only be accessed from a session that has been authenticated;
3. Do not provide a username directly in any way, or use a hidden form field or cookie to provide a user name;
4. To prevent an attacker from using a session hijacking vulnerability, cross-site scripting, or forgetting to close a page for unauthorized access, the user should be required to reenter the existing password;
5. In order to prevent the input error, the new password to enter two times, by the way check two times the password is consistent;
6. If it is an important system, multiple use of the failed password modification function, it is likely to be attacked;

3, to prevent the misuse of "password back" basic requirements

Password retrieval may be the most vulnerable place now, some basic requirements, write down, you can refer to later.
? Add a simple picture verification code, basically ensure that the person is operating, not the machine;
? When the user forgets the password, need important system, preferably through the unconventional way to complete password retrieval, such as to call center call, send traditional mail to provide the latest authentication information, or automatically freeze for a period of time;
? SMS, e-mail and other ways are likely to cause loopholes, but this seems to be the cornerstone of the modern internet economy, if the mobile phone dropped, then self-blessing it ....
? Do not use any password "hint", the attacker can use the obvious hint to launch the attack;
? Do not provide a user name directly in any way, or use a hidden form field or cookie to provide a user name;
? The problem of retrieving the password is best to be random enough to make sure the attacker can't guess it easily, but ... A lot of problems, not black and white, but balance, is gray ...
? Finally, the user through a lot of tests, the completion of the password retrieval, is generally to send users a re-activation of the URL e-mail, even if this step, do not reveal the user's previous password and other information, if it is to generate a new password by SMS to the user, but also to ensure that the new password is enough to avoid the attacker guess

Watch your door.-Ensure the security of the authentication mechanism (5)-Prevent misuse of password modification and password retrieval

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.