Provider Model

Best practices for user and group management

Sarah Palin's email was hacked o  David Kernell, 22 who goes by the hacker tag 'rubico' , son of Mike

Kernell, a Tennessee state legislator broke into Sarah Palin's Yahoo! account during her 2008 campaign

o  He confessed ... o  It took seriously 45 mins on wikipedia and google to find the info,

Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

o  the second was somewhat harder, the question was “where did you meet your spouse?”

o  I found out ... that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

o  it finally set in, THIS internet was serious business, yes I was behind a proxy, only one, if this [stuff] ever got to the FBI I was [in trouble], I panicked, i still wanted the stuff out there but I didn’t know how to [compress] all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state

o  Convicted on several counts in April of 2010.

Use strong passwords

o  Part of Broken authentication and session management

o  Lots of great tools available in .Net o  Wanted to show best practices to you

Topics

o  The membership and role provider model o  ASP.NET Login controls

•  CreateUserWizard •  Login •  LoginStatus •  ChangePassword •  PasswordRecovery

o  Best practices

The provider model provides authentication

o  ASP.NET has a robust and simple way to handling authentication; The membership and role provider model

o  Configured in web.config (or the ASP.NET Configuration Tool)

o  It is highly extensible! Can customize it via some programming

o  Much more secure than home-grown ways o  Uses good design patterns o  Abstracts away most user functions

The provider model can work with existing authentication providers like Active Directory

and LDAP

<authentication mode="Windows"/>!<authorization>! <allow roles="AD_GROUP, AD_GROUP2" />! <allow users="USERS" />! <deny users="?" /> !</authorization>!

Coding with the Provider Model o  All features are simple ... MembershipCreateStatus status; Membership.CreateUser(

"dschrute", //username "recyclops", //password "dwight@dundermifflin.com", //email "Which color is most dominant?", //passwd reminder question "black", //response true, //is approved? out status

); if (status != MembershipCreateStatus.Success)

throw new Exception("Fail!");

o  Other features are similarly easy o  Best feature, though is ... o  No programming necessary with the Login

controls!

ASP.NET Login controls

o  CreateUserWizard o  Login o  LoginStatus o  ChangePassword o  PasswordRecovery

CreateUserWizard

Login

LoginStatus

ChangePassword

PasswordRecovery

... and all with no coding!

o  Unless you just want to

Passwords can be compromised

Best practices

o  Avoid canned questions o  When resetting the password, never email it o  Don't allow the website to "Remember me" o  Turn autocomplete off so the username and/

or password can't be pulled from the browser cache

o  Use strong passwords

Allow the user to set his own password reset question.

o  Never force from a small list

o  Too easy to research •  High school mascot •  Mother's maiden name •  Pet's name •  Birth city

o  Too easy to guess •  Favorite color

Remember me is convenient but it opens security holes

o  Worst option is to save username and password in a cookie

o  If you must remember me, do it like Microsoft's provider does and store it in a persistent authentication cookie

Turn browser caching off

o  Guessing a username is half the battle o  If the form helps the user to fill a username

he has a major leg up o  And if we do that for a password, that would

be horrible o  Turn remembering off like this: <form id="f1" autocomplete="off">

Sometimes Often Usually our efforts to increase security actually decrease it

Password rules are enforced on backend

o Set in web.config in membership - providers:

<add name="AspNetSqlMembershipProvider" type="..."

minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" passwordStrengthRegularExpression="" />

Best passwords are pass phrases

Summary

o  Good authentication practices go a long way toward establishing security

o  Use a role provider based on Microsoft's o  Use Microsoft's built-in controls o  Enforce strong passwords, but don't go crazy

Further study

o  Modifying the membership provider: •  http://bit.ly/ModifyingMembershipProvider

o  Article on passwords: •  http://bit.ly/BrokenAuthentication

o  Hacker broke into military computers via easy-to-guess passwords: •  http://bit.ly/WorldsBiggestHackerCaught