These are the slides of my talk at the Security Meetup by SBA Research (https://www.meetup.com/Security-Meetup-by-SBA-Research/events/258387229/).
The media are full of news regarding breached user accounts and passwords. Also, password-guessing attacks are rarely well protected against in applications, even in new ones.
Questions you might ask yourself:
- What can we do about that?
- Shall we lock out users after too many failed attempts?
- If we do, shall we lock them permanently or temporarily?
- If temporarily, how long?
- How can I prevent an attacker from systematically locking out users?
- Is user enumeration even a thing?
- How do big companies deal with this?
- What does a modern password policy look like?
- How can I make sure that everything is transparent to my users and that they can notice and react on malicious activity?
- Are there other and better mechanisms to protect user accounts?
Unfortunately, the answers to these questions are not always trivial, and depend on the type of data that your application processes, and also on the requirements regarding the CIA triad. In this meetup, we'll explore which questions you need to answer in order to make an educated decision on what to do.
We'll also explore some pretty smart techniques to achieve a balance between confidentiality/integrity and availability requirements, and how this technique can help you solve a number of other problems.