Q

Proactive additions shore up forms-based authentication

How can we best prevent hacking and user account lock out in Web applications with forms-based authentication?

This Content Component encountered an error

I'm trying to minimize the chances of someone cracking my Web application's forms-based authentication. I know I can't control who connects to the application, but what can I do to prevent cracking and users' accounts getting locked?

Web-based password cracking is a real problem for forms-based authentication. Between the weak passwords that people use and the amount of Web attacks taking place, you can be a target for an attack that you’re likely not ready to detect and protect against. According to the 2014 Verizon Data Breach Investigations Report, 35% of all breaches are Web-related.

I typically recommend that developers include an intruder lockout mechanism for forms-based authentication. For example, after five to 10 failed login attempts, lock the account for a few minutes and/or provide a means for the users to reset their passwords (i.e., via an out-of-band email reset process).

forms-based authentication illustration

You can also help prevent automated forms-based attacks by requiring a multi-step process for users to login. The most resilient forms-based Web authentication system I’ve seen is one that required users to click on images to enter their passwords and the images changed position ever so slightly each time. The problem with this approach is that it also breaks most login macro recorders used in Web vulnerability scanners making it nearly impossible to perform authentication vulnerability scans if you’re using the wrong tool.

A Web application firewall (WAF) or intrusion prevention system (IPS) can help prevent login form attacks as well. There are a lot of variables, and only you know what would work best for your system architecture, your application workflow and your users. Just make sure you’re thinking about this challenge, because it will likely surface and need to be addressed at some point.

This was first published in June 2014

Dig deeper on Internet Application Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close