Broken authentication is a term describing multiple vulnerabilities threat actors exploit to impersonate legitimate users online. It refers to weaknesses in session and credential management. Attackers can use both to mimic an authorized user using hijacked session IDs or stolen login credentials.
You can compare broken authentication to two real-world scenarios. First, hijacking a session ID can be likened to thieves waiting for you to open the door to your house and forcing their way in when you do. Second, stealing login credentials is comparable to thieves stealing your house keys from your bag while you’re in a cafe, for instance. Either way, they get an opportunity to break into your home by preying on your weakness—fear of getting shot or being caught unaware.
Other interesting terms…
Read More about “Broken Authentication”
We mentioned two ways attackers take control of vulnerable accounts—session ID hijacking and login credential theft. Let’s take a closer look at the two.
How Do Attackers Hijack Session IDs?
A web session refers to the time you start browsing a website (from when you get to its homepage) to when you log out and close the browser window. Web applications track each user session and issue a session ID for each user so he/she can browse the site. The session ID is saved on the user’s computer as cookies.
Session hijacking occurs when the web application you access isn’t protected enough against the threat. Should any user fail to log out of the app and go on with life, an eagerly waiting hacker can continue his/her session.
How Do Attackers Steal User Credentials?
The most well-known means of credential theft today would probably be phishing. Attackers lure victims into accessing a fake website and inputting their username-and-password combinations, all of which are saved into logs that the threat actors collect for later use.
Another way would be to buy working stolen credentials from the Dark Web. Many underground markets sell what they call “fullz,” a slang term for “full information,” sold for use in accessing the affected users’ accounts.
What Are the Usual Causes of Broken Authentication?
Many organizations are prone to broken authentication-related attacks primarily due to poor implementation of identity and access controls or how they manage identity verification each time users access their websites and applications.
The usual causes of broken authentication include:
- Predictable login credentials or easy-to-guess username-and-password combinations (e.g., user’s first name initial and last name as username and birthday as password)
- Failure to encrypt user authentication credentials when they’re stored
- Exposed session IDs in the URL
- Session IDs that do not time out or get revoked after the user logs out
- Reusing identical session IDs for every login
- Sending passwords, session IDs, and other credentials over unencrypted connections
How Can You Protect against Broken Authentication?
There are several ways to protect users against broken authentication-enabled attacks, including:
- If possible, implement multifactor authentication (MFA).
- Do not allow employees to use default login credentials, especially if they have administrator-level access rights.
- Employ checks for weak passwords. Ask your security team to regularly test new or changed passwords against a list of the worst passwords.
- Implement password length, complexity, and rotation policies.
- Limit or increasingly delay failed login attempts.
- Use a server-side, secure, built-in session manager that generates new random session IDs for every login.
- Ensure that session IDs are not included in the URL, are encrypted before securely stored, and get revoked after the user logs out or goes idle. You can do that by enforcing an absolute timeout—ending their session when no activity is detected within a specified time.
- Teach all employees to spot phishing emails. That is one way to prevent their login credentials from getting stolen.
- Employ anomaly detection using an advanced identity and access management (IAM) platform. It should notify you when an employee logs out at 8 P.M. in the U.S. and then logs back in at 4 A.M. in the Philippines. Traveling between both countries takes about 16 hours at least.
—
Broken authentication was responsible for the Marriott data breach in 2020, dubbed one of the most significant compromises that year. Follow the best practices identified in this post so you can avoid becoming the next victim.