Attacking Authentication: Incomplete Validation of Credentials

Well-created authentication mechanisms impose different specifications on passwords, such as the minimum length or the mix of both uppercase and lowercase characters. On the other hand, some badly created authentication mechanisms not only do not require these good practices but also do not take into account users’ own attempts to comply with them.

For instance, some applications trim passwords and for that verify only the first n characters. Some apps perform a case-insensitive check of passwords. Some apps remove unusual characters (sometimes on the pretext of performing input validation) before checking passwords. Nowadays, the behavior of this type has been recognized in some surprisingly high-profile web apps, usually as a result of trial and error by curious users.

Each of these restrictions on password validation decreases by an order of size the number of variations available in the set of potential passwords. Through experimentation, you can decide whether a password is being completely approved or whether any restrictions are in effect. You can then fine-tune your automated attacks upon the login to remove unnecessary test cases, thereby massively reducing the number of requests necessary to compromise user accounts.

Related posts

How to Improve Your Cyber Resilience by Strengthening User Privileges

The Dark Side of Viral Content: How Negative Reviews Can Snowball

Testing Gaming Monetization: Walking the Line Between Profit and Player Experience