Design Flaws in Authentication Mechanisms
Authentication functionality is subject to more design weaknesses than any other security mechanism commonly employed in web applications. Even in the apparently simple, standard model where an application authenticates users based on their username and password, shortcomings in the design of this model can leave the application highly vulnerable to unauthorized access.
Bad Passwords
Many web applications employ no or minimal controls over the quality of users' passwords. It is common to encounter applications that allow passwords that are:
- Very short or blank
- Common dictionary words or names
- The same as the username
- Still set to a default value
Figure 6.1 shows an example of weak password quality rules. End users typically display little awareness of security issues. Hence, it is highly likely that an application that does not enforce strong password standards will contain a large number of user accounts with weak passwords set. An attacker...