Password policy Online attack using stolen device cookies Limited, prevent cookie leaks Online attack against multiple users Not mitigated Spoof device cookie Crypto Tamper with existing device cookie Crypto DoS for specific account OOB device cookie issue DoS for specific account when client is used by different accounts Device cookies per account
Prevent cookie leakage with Secure & HttpOnly flags. Issue cookie for valid reset password link. Issue new device cookie after each successful login. Include user ID into cookie name (privacy concerns?).
PasswordsCon, and specific talks from PasswordsCon 14: • Marc Hause talk Online Password Attacks • Alec Muffet talk Facebook Password Hashigh & Authentication An Administrator’s Guide to Internet Password Research