Security Questions and password security in Web Applications
Today almost every web application uses security questions to identify the user, especially when the user forgets password.
However these security questions pose a major security risk, if they are not properly thought of. Most of the times we come across simple questions like 'In which city you were born' ,'What is your favorite movie' etc.
Nowadays there is so much information on social networking sites, that a little research will give us all the information needed. Information on favorite movie/actress etc, can be mined by following the 'likes' the user has clicked.
The questions have to be smart enough to avoid questions on events which occurred in the person's life, and also avoid questions on person's taste and likes.
Rather, the questions should evoke answers (sometimes strange) which cannot be guessed. How about these questions:
- 'Name a city which you never visited', (definitely this will have a larger answer set)
- 'Mention a name which you consider very funny' (few people can hack names like 'hay focker' P.S pun intended)
Also, the application should have strict password rules to defeat dictionary attacks. The user should be forced to enter alphanumeric and special characters.
The application should maintain a list of black listed passwords. It should not accept black listed passwords like 'welcome 123','password 123'. A recent survey has shown that these two are most used passwords. The black list should be updated regularly based on industry findings.
The passwords should be stored as one way hash (instead of encrypting) which makes it difficult to retrieve the password.
You might have read about instances, where in, hackers post all the passwords online after hacking the database. This wouldn't have happened if the passwords were stored as one way hash. SHA-2 is the latest algorithm for hashing.
We can apply a strongly generated salt to the algorithm and also we can generate hash of hash, some N number of times in order to prevent a brute force attack.