Securing Passwords, Basic Auth, OWASP Auth Cheatsheet

Securing Passwords

Explain to a non-technical friend how you would safely hash and store a password.

To store passwords securely, a hashing algorithm is used. A user inputs their password, and he password is run through an algorithm. This algorithm changes the password into a hash, a long string of characters that look nothing like the original password. When a user logs in to the site, they input their password, the password is hashed, and that hash is compared to the expected output. If they match, then the user gets let in.

What is Bcrypt? Why might you use something like Bcrypt? Hashing is not a fool-proof way of protecting passwords. It is still possible for a hacker to brute force a password using a computer. As computing power continues to grow, it will continue to be easier for hackers to brute force their way into passwords. Bcrypt is able to scale up the complexity of the hash as computing power scales, essentially slowing down a hacker’s ability to brute force their way through a password.

Basic Auth

What is Basic Authentication? basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request.

What properties are necessary in the header of a Basic Auth request? In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic credentials, where credentials is the Base64 encoding of ID and password joined by a single colon :

How are username:password in Basic Auth encoded? The Authorization header field is constructed as follows:[9]

1. The username and password are combined with a single colon (:). This means that the username itself cannot contain a colon.
2. The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8 by sending the charset parameter.
3. The resulting string is encoded using a variant of Base64 (+/ and with padding).
4. The authorization method and a space (e.g. “Basic “) is then prepended to the encoded string.

For example, if the browser uses Aladdin as the username and open sesame as the password, then the field’s value is the Base64 encoding of Aladdin:open sesame, or QWxhZGRpbjpvcGVuIHNlc2FtZQ==. Then the Authorization header field will appear as:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

OWASP auth cheatsheet

Define the authentication process to a non-technical recruiter. Authentication is the process of verifying that a person is whom they claim to be. Unlike authorization, authentication does not allow one access to all of the things that a username and password could allow them access to. For instance, when one uses their Gmail password to sign into a third party application, they are confirmed to be who they say they are, but the third party would not be able to access their gmail account.

How should your error messaging respond (both HTTP and HTML)? Why? Error messaging should respond back genreically. This way, no clues may be given to a hacker about where weaknesses may lie within the system they are trying to crack. They will only know that they can’t gain access, but won’t be told why that may be. For instance, it would be more secure for a system to respond, ‘The credentials you entered do not match any in our system. Please try again.”, rather than “The password you entered is incorrect”, which would infer that the username was in fact correct.