Retyping password to confirm...necessary or excessive? - user-friendly

Simple question...I've noticed several large sites (Facebook, Twitter, etc) have ditched the idea of requiring new registrants to confirm their new password by typing it again.
Balancing usability and error-prevention effectiveness...is it better to require confirmation or not?

I would say yes, it is a useful feature.
I've mistyped a new password on multiple occasions, and I'm glad the software caught it then, rather than later, since resetting or changing a password later is generally a cumbersome process (relative to just notifying me right then that it was wrong).

I think it's excessive and here is a solution to show password on demand which provides an option to view the password if the user is in doubt. It improves usability and user experience.

I believe the confirmation is needed. We can absentmindedly mistype a password and later find it difficult to log in. It is better to put in some extra keystrokes during registration than later going through the whole cycle of resetting password or worse registering again. Prevention is better than cure.

If you have a killer, super easy to use password reset system, then no, its not needed. If your password reset system leaves something to be desired, then go with either the confirmation or a solution like #Chandra suggested.

I think having to retype passwords is worth the pain of accidentally mistyping it first time. If you use numbers in place of letters then seeing the password may not be that much help.
What really bugs me is having to retype an email address. How many people don't simply use copy and paste?

Related

Is there a way to delete/get rid of a Man-In-the-Browser infection?

I was cruising around the browser reading articles about MItB and still can't find a technical way of getting rid of an MItB infection. hence, I was wondering: Is there is such a way to delete an MItB attack technically? If you were to click an infected link on a computer or mobile through a browser, in which triggered the MItB and infects your web browser, can you destroy the vulnerability by reinstalling the browser, whether in your phone or computer? More importantly, does MItB make any difference in computer and phones?
Man in the browser (mitb) is a nasty attack because "traditional" security mechanisms are not very effective against it. This is a classic example of a Trojan because the "enemy" is behind your city wall (security layers). Encryption won't help because the data the attacker is accessing is already decrypted. So the attacker has the chance to inject scripts, modify transactions, collect personal data, etc., without the user's knowledge. From the user's POV, everything is fine. They won't notice anything is wrong until the damage is done.
Your idea of reinstalling the browser is unlikely to work. The Trojan can survive the reinstall because it is not part of the browser itself. It is either an extension (or "browser helper object"), malicious JavaScript, or an external program which messes with the browser's API calls.
Also, active detection and mitigation by antivirus and other anti-malware software is not very successful. AV will detect some Trojans, but the detection rates are low. Trojans are, by design, engineered to avoid detection.
One approach you will often hear mentioned is 2-factor authentication or out-of-band transaction verification. The most common is to send a code to the user's phone or e-mail. In some systems, this code will also include information about the specific transaction which is being verified. The idea here is that the phone or other communication channel will not be impacted by the Trojan, so it should be safe from interference. But honestly I don't really think this is 100% safe. You will still have users who ignore any warning signs in the message and just blindly continue typing in the verification code into their browser because they are 1) ignorant 2) in a hurry, or both. And even then, you are assuming the the out-of-band communication mechanism has not been compromised. That's a big assumption. If you're wrong, then it will be completely ineffective.
Another approach is to sidestep the problem and look at the user's behavior from the server side. If you can establish a model of their "normal" behavior, then there is a reasonable chance of identifying suspicious activity. What is suspicious activity? It can be anything like a sudden increase in large transactions, changing IP address in the middle of a session, and navigating between pages in an "unnatural" way. When this type of behavior is detected, you can notify the user or take steps like locking their account or just rejecting a transaction. Of course, this will be limited to a specific service (e.g. the user's bank) and there is always a chance of false positives. It doesn't address the root of the problem, because the user's platform will still be infected.
The defense right now is not detection but prevention. Stop the Trojan from getting in. The most obvious one. Don't download and open or execute anything unless you trust the source 100%. That means the source should have E2E encryption and a trustworthy SSL (TLS) cert, preferably extended validation (EV).
Also make sure your OS is up to date with the latest security patches. Finally, don't use browsers with known vulnerabilities. And even then, avoid suspicious browser plugins/extensions.

Why not show error messages and system specs to users?

Sometimes I'm on one of my sites, and I run into a DB error that just throws itself out there onto a publicly visible page. I hurry myself to sweep it up, repairing the error when it doesn't belong and creating a custom error when it does belong. I've been told countless times not to allow users to view error messages and to try to avoid revealing system specs. I seem to have forgotten the reason why, though. Why is this so crucial?
Because the more a baddee knows about the architecture of your system, the easier it is for them to tailor attacks to gain access to it, bring it down, etc.
The short answer is that the more information an attacker has, the more likely it is that they will be able to compromise the site in some way.
For example, if a DB error has a table name or a column name in it, the attacker now knows what to try in an SQL injection attack.
https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling
Owasp has a good treatment of the subject. The above link is old but still valid. In general I recommend OWASP as a good resource for understanding not only what good security practices are, but also why they are good.
Because the users can also be crackers/hackers.
It scares the users to see a lot of strange text/code => not user friendly.
But the primary reason is because of the hackers that gain knowledge of your system.

User security in the database of my website

Lets say i have a website mysite.com that will store some sensitive personal data (bank related)
On this website i have an oracle database with a USERS tables that will store the logins and passwords of users from mysite.com
I have a few questions :
How should i store passwords,encryption of course, but which ?
What should be the process for registration ? send an email to confirm is really necessary ?
Any good advices on login processes in general ?
For information, i m using Oracle APEX
You're storing bank related sensitive personal data. Don't hack your own solution. Use an existing, proven solution. Most likely you will also be running into all kinds of security and privacy laws, regulations and liabilities when dealing with such data. Find someone who knows these regulations and who can help you and advise you.
Don't try to do this yourself. "Anyone can build a security system they they themselves cannot break." - I think that's a Bruce Schneider quote. Heed it.
Edit to react on comment:
Even when dealing with private finance software you're probably dealing with bank account numbers, social security numbers, etcetera. So you are probably still running into various kinds of regulations.
Systems like OpenID and Oracle SSO only cover authentication. Regulations also dictate minimum security measures on how you should store data in your database, how you should treat backups, how you should deal with people (e.g. developers) accessing the database, etcetera, etcetera. If you don't follow these and something goes wrong, you're liable.
I really urge you to seek help from someone knowledgeable in the field. Explain them what you want to do, what you want to store, etcetera. They can tell you what (if any) regulations apply. Only then can you start looking at how you are going to implement this and what off-the-shelf components you can use.
Under no circumstance should a password be encrypted. The use of encryption implies that there is a decryption function and that would be a violation of CWE-257. Passwords must always be hashed, and SHA-256 is an excellent choice. The password should be salted with a cryptographic nonce. Authentication systems are highly simplistic when taking into consideration the other security systems you rely on.
You must be VERY CAREFUL to make sure that your system is free of SQL Injection. I recommend obtaining a copy of Acunetix($) NTO Spider ($$$) or wapiti(open source). In any case parameterized quires is the way to go.
Take a look at the answers to this question.
Passwords should be stored as a salted hash. Use a unique salt for each. For hashing there are better alternatives but SHA1 is alright for many purposes (its available via DBMS_CRYPTO). Even better go for SHA256 (using http://jakub.wartak.pl/blog/?p=124).
User registration confirmation really depends on the site. If you want to get users in quickly then you could allow them in after registration for a limited time until they click the activation link. All the activation really gets you is a real email address to associate with the user. Also consider captcha to prevent automated/scripted sign-up.
Login should enforce temporary lockout after some invalid attempts (and alert admins when successive lockouts are hit). Enforce a password complexity too.
OWASP has very good general advice on secure web app design.
Wikipedia has some information on Oracle Apex Security. Another comment suggested a web testing tool such as Acunetix or NTO Spider (I would suggest Burp instead), there is also a tool for testing the security of Apex applications through analysis of the source (ApexSec) - (disclosure, I work for this company).
You could also consider a third-party view on you application, be that penetration testing or code review. A Web Application Firewalls can provide some value depending on your context.

Write Secure Cocoa Code

Im making an application in cocoa and wanted to see if some strings in it were easily accessible so I ran OTX on it and sadly all of my code was found. Is there a method I can use to make my code more "secure" or at least encrypt/hide the strings? The reason I want to encrypt the string is it's a password for a server. I don'd need it really secure I just don't want the password to be so easy to find.
Thanks for any help
You should never put a password into an executable.
This is like putting the password on a sticky note next to the monitor. If a malicious hacker has your application they can eventually extract the password regardless of what language or API you use to write it.
For example, if I know that your application connects to a password protected server but the application never ask for a password, then I know you've made the mistake of including the password. To find the password, I need only monitor the operation of the program to see what areas of code are active around the time it connects to the server. This will tell me where to focus the search for the password regardless of how big your application is. Then it is only a matter of time until I track the password down. Encrypting the password does no good because the encryption algorithm must also be in the app and I can unravel that as well.
Remember that there are many people out there who can unravel your code using only the raw machine code. For those people it doesn't matter what language or API you use because they all distill to machine code in the end. Those people are the scary skilled gods of programming and they laugh at mere mortals such as you or I. Unfortunately, some of them are evil.
Did I mention that you should never put a password into an executable? If I didn't, let me repeat that you should never put a password into an executable.
In your particular case, as novice programmer, you have no hope of hiding of the password from someone with even a little bit more experience than yourself. This is yet another good reason why you should never put a password into an executable.
1. Avoid ObjC in secure code.
Because ObjC's class system depends heavily on runtime reflection, the whole interface needs to be included alongside the executable. This allows tools like class-dump to easily recover the source #interface of the binary.
Therefore, the secure code functions should be written as a C function, not an ObjC method.
2. Use strip.
By default the compiler will keep all the private symbols (which allows stack trace to be more readable). You can use strip to delete all these symbols.
3. Obfuscation.
The above steps can only hide the code logic. But if the password is a constant string, it is immediately visible using the strings utility. You may obfuscate this by constructing the password in runtime (e.g. store the password encoded in ROT-13 in the file.)
4. Or just change your design.
No matter how good your protection system is, as the hacker have total control on their machine, given enough time, they always win. It's better to revise your design, like why the password must come with the executable? Or why a global password even needed?

Storing Passwords for External APIs - Best Practice

If I built an application that accessed some of the data from say Gmail, Twitter and Facebook, and I want the user to be able to only have to enter their authentication info once, and it's reset after some days or weeks, what is the best way to do this, dynamically, in Ruby?
I see a lot of people just having a config file of their clients'/users' credentials like so:
gmail_account:
username: myClient
password: myClientsPassword
This seems a) like it's very insecure, and b) it wouldn't work if I wanted to store this kind of information for thousands of users. What is the recommended way to do this?
I would like to be able to build an interface on top of these services, so having to enter credentials every time the user made a transaction isn't feasible.
If you're comforatable with the potential liability when a hacker gets into your database / filesystem, then go for it. And in all fairness, you should also disclose to your users that their passwords will be stored on your system, and let them decide if they want to give your program that level of trust.
But why do this in the first place? Facebook Connect and Twitter & Google using OAuth there's no need for you to store user passwords at all. At some point a user's cookies will expire (or they'll try to access your site from another computer) and they'll have to re-authenticate. You can't prevent re-authentication - instead, you should make it as easy for the end user to handle as possible.
Such services are providing OpenAuth authorization. You are strongly recommended to have a look at it.
Security
I assume your application needs to know the password in plaintext. Then there is no way around storing it in some kind of plain way.
Store in some kind of encoded way eg. Base64, this protects you from knowing password when looking through the database with your eyes, but it does not protect you from anything else.
Ensure that the files are not readable from any other user
Encrypt your harddrive, so nobody can get the passwords from stealing your harddrive. Your computer will require inputung you the password during booting.
Storing
There is nothing wrong with storing much data in your filesystem. For better performance you can do the following
One file for each user, so the filesystem and not ruby needs to search for the data
Make a lot of subdirectorys. Some filessystems performance suffer's if you put to many files into one directory. eg. put the file 'abcd' into 'a/b/c/d'
You could use a database instead of the filesystem
This is the way it works for instance for fetcmailrc which has to be chmod to 600 (readeable and writable only by his owner). And yes, it contains the plain password.
I would strongly suggest you to use OAuth, but if you have to store the passwords (please be absolutely sure that you need to do it) you could use the OpenSSL library to encrypt the passwords. The OpenSSL library is quite poorly documented in Ruby, but as far as I know they are quite similar to the C OpenSSL library. Since I think you should use OAuth, and not storing the passwords I'll let you find the documentation yourself.
However, for the OAuth approach, you want to take a look at the OAuth gem. Google, Twitter (which I recommend you to use the excellent twitter gem for) and facebook (which has two seemingly good alternatives: RFacebook and facebooker)

Resources