From Guidance Share

Jump to: navigation, search



Depending on your requirements, there are several available authentication mechanisms to choose from. If they are not correctly chosen and implemented, the authentication mechanism can expose vulnerabilities that attackers can exploit to gain access to your system.


  • Credentials or authentication tickets passed in clear text
  • Weak password policies
  • Passwords stored insecurely
  • Ineffective or lacking password complexity check


  • Cookie Replay Attacks
  • Dictionary Attacks
  • Network Eavesdropping
  • Password Brute Force Attacks


Countermeasures to counter authentication attacks include:

  • Encrypt credentials over the wire. Avoid sending plain-text credentials over the wire. If you must send credentials over the wire, encrypt them to help protect them if they are captured during a network sniffing attack.
  • Protect authentication tokens. Encrypt authentication tokens over the wire. Use an encrypted channel (for example by using SSL) to prevent an attacker sniffing authentication tokens and using them in cookie replay attacks.
  • Enforce strong password policies. Enforce password complexity requirement by requiring a a long passwords with a combination of upper case, lower case, numeric and special (for example punctuation) characters. This helps mitigate the threat posed by dictionary attacks. If possible, also enforce automatic password expiry.
  • Store password hashes (with salt) instead of the passwords or encrypted passwords. If you implement Forms authentication, don't store user passwords if the sole purpose is to verify that the user knows the password value. Instead, store a verifier in the form of a hash value and re-compute the hash using the user-supplied value during the logon process. Avoid storing encrypted passwords because it raises key management issues—you can secure the password with encryption, but you then have to consider how to store the encryption key. Combine password hashes with a salt value (a cryptographically strong random number), to mitigate the threat associated with brute force attacks and dictionary attacks.

Microsoft Platform Considerations:

  • Configure SQL Server to use Windows authentication only. By using Windows authentication, you can use Active Directory password policies, database credential strings do not need to be stored in connection strings and credentials are not passed over the wire during authentication.


Personal tools