Secure Account Management Fundamentals
Secure Account Management Fundamentals is all about exploiting then protecting security weaknesses in the features we often take for granted in websites today such as registration, logon, changing account info, and logoff.
What you'll learn
A fundamental component of many modern day applications is the ability to create and manage user accounts. So many of the services we use every day as consumers and build as developers depend on the ability for customers to register, login, and then perform tasks under their identity. However, every day we see a barrage of attacks against poorly implemented account management facilities. These range from brute force attacks against the login to the impersonation of authenticated users, to the cracking of breached passwords. Often, weaknesses in account management facilities are simply due to the developers not having thought through the potential risks from a hacker's mindset. This course demonstrates how attackers think and exploit these weaknesses. There are numerous high-profile precedents including the celebrity iCloud photo hack, GitHub account attacks and Dropbox credential disclosure. In some of these cases, oversights in secure account management practices left systems unnecessarily vulnerable whilst in others, good practices undoubtedly mitigated the scale of the damage caused. This course regularly refers to real world examples – both good and bad – as a means of illustrating risks and the effectiveness of security controls.
Table of contents
- Overview 3m
- Using Email Addresses as Usernames 8m
- Password Strength Criteria 12m
- Providing User Feedback on Password Strength 7m
- More Sophisticated Password Strength Implementations 8m
- Disabling Paste on Password Fields 6m
- Verifying Accounts via Email 9m
- Protecting Against Account Enumeration 7m
- Using CAPTCHA for Anti-automation 10m
- Summary 3m
- Overview 2m
- Resetting Versus Reminding 5m
- The Risk of a Persistent Reset Password 3m
- The Risk of Account DoS Attacks 4m
- Using a Time-limited Nonce Reset Token 8m
- Strengthening the Reset with Verification Questions 6m
- Creating Good Identity Verification Questions 8m
- The Risk of Password Hints 2m
- Protecting Against Enumeration 5m
- The Risk of Brute Force 4m
- Summary 5m
- Overview 2m
- Identity as a Service 5m
- OpenID Connect 5m
- Understanding Web Application Firewalls 4m
- The Mechanics and Risks Within Two Factor Authentication 6m
- Protecting Against the Threat from Within 8m
- The Role of SSL 6m
- Attack Vectors in Other Account Management Channels 5m
- The Threat of Social Engineering 8m
- Summary 3m
About the author
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security, an ASPInsider, and a full time Author for Pluralsight—a leader in online training for technology and creative professionals. Troy has been building software for browsers since the very early days of the web and possesses an exceptional ability to distill complex subjects into relatable explanations. This has led Troy to become an industry thought leader in the security space and produce more than twenty top-rated courses ... more