Guessing User Credentials
When we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username/password attack.
Technical Tips:-
Application should answer in the same manner for every failed attempt of authentication.
For Example:
Credentials submitted are not valid..
Or
UserName or Password mismatched..
EXTRA – TIPS:-
We can force to create user credentials in the following composition or a variance of such:
- at least: 1 uppercase character (A-Z)
- at least: 1 lowercase character (a-z)
- at least: 1 digit (0-9)
- at least one special character (!"£$%&...)
- a defined minimum length (e.g. 8 chars)
- a defined maximum length (as with all external input)
- no contiguous characters (e.g. 123abcd)
- not more than 2 identical characters in a row (1111)