Upload
rap-payne
View
58
Download
0
Embed Size (px)
DESCRIPTION
Part of the Web Application Security Course
Citation preview
Provider Model
Best practices for user and group management
Sarah Palin's email was hacked o David Kernell, 22 who goes by the hacker tag 'rubico' , son of Mike
Kernell, a Tennessee state legislator broke into Sarah Palin's Yahoo! account during her 2008 campaign
o He confessed ... o It took seriously 45 mins on wikipedia and google to find the info,
Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
o the second was somewhat harder, the question was “where did you meet your spouse?”
o I found out ... that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
o it finally set in, THIS internet was serious business, yes I was behind a proxy, only one, if this [stuff] ever got to the FBI I was [in trouble], I panicked, i still wanted the stuff out there but I didn’t know how to [compress] all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state
o Convicted on several counts in April of 2010.
Use strong passwords
o Part of Broken authentication and session management
o Lots of great tools available in .Net o Wanted to show best practices to you
Topics
o The membership and role provider model o ASP.NET Login controls
• CreateUserWizard • Login • LoginStatus • ChangePassword • PasswordRecovery
o Best practices
The provider model provides authentication
o ASP.NET has a robust and simple way to handling authentication; The membership and role provider model
o Configured in web.config (or the ASP.NET Configuration Tool)
o It is highly extensible! Can customize it via some programming
o Much more secure than home-grown ways o Uses good design patterns o Abstracts away most user functions
The provider model can work with existing authentication providers like Active Directory
and LDAP
<authentication mode="Windows"/>!<authorization>! <allow roles="AD_GROUP, AD_GROUP2" />! <allow users="USERS" />! <deny users="?" /> !</authorization>!
Coding with the Provider Model o All features are simple ... MembershipCreateStatus status; Membership.CreateUser(
"dschrute", //username "recyclops", //password "[email protected]", //email "Which color is most dominant?", //passwd reminder question "black", //response true, //is approved? out status
); if (status != MembershipCreateStatus.Success)
throw new Exception("Fail!");
o Other features are similarly easy o Best feature, though is ... o No programming necessary with the Login
controls!
ASP.NET Login controls
o CreateUserWizard o Login o LoginStatus o ChangePassword o PasswordRecovery
CreateUserWizard
Login
LoginStatus
ChangePassword
PasswordRecovery
... and all with no coding!
o Unless you just want to
Passwords can be compromised
Best practices
o Avoid canned questions o When resetting the password, never email it o Don't allow the website to "Remember me" o Turn autocomplete off so the username and/
or password can't be pulled from the browser cache
o Use strong passwords
Allow the user to set his own password reset question.
o Never force from a small list
o Too easy to research • High school mascot • Mother's maiden name • Pet's name • Birth city
o Too easy to guess • Favorite color
Remember me is convenient but it opens security holes
o Worst option is to save username and password in a cookie
o If you must remember me, do it like Microsoft's provider does and store it in a persistent authentication cookie
Turn browser caching off
o Guessing a username is half the battle o If the form helps the user to fill a username
he has a major leg up o And if we do that for a password, that would
be horrible o Turn remembering off like this: <form id="f1" autocomplete="off">
Sometimes Often Usually our efforts to increase security actually decrease it
Password rules are enforced on backend
o Set in web.config in membership - providers:
<add name="AspNetSqlMembershipProvider" type="..."
minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" passwordStrengthRegularExpression="" />
Best passwords are pass phrases
Summary
o Good authentication practices go a long way toward establishing security
o Use a role provider based on Microsoft's o Use Microsoft's built-in controls o Enforce strong passwords, but don't go crazy
Further study
o Modifying the membership provider: • http://bit.ly/ModifyingMembershipProvider
o Article on passwords: • http://bit.ly/BrokenAuthentication
o Hacker broke into military computers via easy-to-guess passwords: • http://bit.ly/WorldsBiggestHackerCaught