Help identify the weakest link in this security system...
Posted: Tue Aug 23, 2005 9:38 am
Overview of current system:
Chrooted, virtual machine.
SSL protected login credentials
Salted, Hashed password storage/comparison
Strong password requirements (8 characters, 1 each of upper, lower, special, and number, compared against dictionairy/l337 speak dictionairy)
Time delays for brute force slowdown
Currently no password request reminder/reset mechanism exposed to users directly. (I need to address this, however).
Missing components:
Real logging/notification for attack attempt profiling/real time response
SessionId protection (just the standard php system)
No CSRF protection
Other suspsected weak areas?
Currently I'm only using SSL for the login page, not for the whole site -- therefore I'm not using the cookies_only, cookies_ssl_only options for the session. That could be an option, but the preformance trade off would need to be examined more.
I think that the coding up the token/nonce system for my forms to beat the CSRF is probably the next vector to attempt to offer some protection against.
The site is not an e-commerce site; its not a likely target, but I don't want to be stupid about leaving obvisious issues open.
Chrooted, virtual machine.
SSL protected login credentials
Salted, Hashed password storage/comparison
Strong password requirements (8 characters, 1 each of upper, lower, special, and number, compared against dictionairy/l337 speak dictionairy)
Time delays for brute force slowdown
Currently no password request reminder/reset mechanism exposed to users directly. (I need to address this, however).
Missing components:
Real logging/notification for attack attempt profiling/real time response
SessionId protection (just the standard php system)
No CSRF protection
Other suspsected weak areas?
Currently I'm only using SSL for the login page, not for the whole site -- therefore I'm not using the cookies_only, cookies_ssl_only options for the session. That could be an option, but the preformance trade off would need to be examined more.
I think that the coding up the token/nonce system for my forms to beat the CSRF is probably the next vector to attempt to offer some protection against.
The site is not an e-commerce site; its not a likely target, but I don't want to be stupid about leaving obvisious issues open.