Is my Enterprise Login System Respecting Latest Security Standards?

Sep 5, 202310 min readTagsAuthenticationIAMPasswordLock-out FunctionalityBrute Force AttackPassword Strength CheckerPassword Reset
Two input fields for login and password input showing a classical password access screen

In today's digitalized world, there are many myths about how a successful and secure password authentication system should look like.

Management generally expects from their engineering, IT or tech department that they build a state-of-the art and secure access management solution as part of the overall product development. However, it is often overlooked that the in-house IT department is oriented towards product development and is also specialized in this area. The development of secure access systems is not only an additional and onerous task in addition to an already excruciating workload, but also not a core area of competency. Thus, both expertise and resources are often lacking here. As a result, an authentication solution is somehow built or implemented and then often neglected as other topics seem to be more important. Additionally, often sales, marketing and product units put pressure on tech teams to implement more product features instead of "wasting" too much time for a secure access management solution. Understanding security often only starts after a database, webpage or portal has been compromised. This does not need to be!

Even though best practice and research have clear guidelines on how to build a state-of-the art access management solution, the different checks below only can give a first and quick estimation on quality of the evaluated solution. If any of the below factors is not following highest security standards that does not necessarily mean that the solution is not safe. However, it can be concluded that more negative answers to the following checks make it more probable that a solution is not following latest security standards. In such a case, the solution should be judged by a security expert to decide if changes have to be made. The aim of such a procedure should always be to make sure to have a bullet proof and secure authentication solution to make it as complicated as possible for potential hackers and their brute force attacks.

We at Engity have many years of experience in the field and are ready to assist you with such security checks. Below you will find a selection of quick test routines that allow you to evaluate the quality of an authentication system from the outside in four easy steps.

Check the Login Solution while Registering

Registering at a webpage, portal or database can give you valuable insights about the online security of the provider. A number of factors may help you to judge if the authentication solution is more likely to be a secure one meeting latest security standards or rather a self-developed or quickly implemented MVP solution.

Implemented rules for Password Lengths, Complexity or Strength

With the professionalization of the online world, with the rapidly increasing computing power of cloud-based systems, and with the digitization in general, the bad guys (hackers) have also successfully developed their techniques to compromise databases and access management systems. While in the beginning of the Internet a basic password offered a quite good protection, today even 6-, 8-, or 10-digit passwords alone do not guarantee the integrity and security of a protected system. While experts still discuss if password length or password complexity is more important, researchers have clearly found that password strength is the current state-of-the art solution for a password. But how can we find out if a password authentication is following this standard?

Actually, this is quite simple! If the provided login screen is asking you for a 6,8,10,12, etc. digit password often with upper- and lowercase letters, numbers and special characters, this indicates that the portal provider is still following the ancient security logic of password length eventually combined with some additional features. However, if the system does not ask for a certain password systematic but rather provides the user with a so-called password strength checker, this is a very good sign that the provider is up-to-date with the latest security standards. While entering a new password, the system with an included password strength checkers supports the user in finding a good and secure password.

But access systems with password strength checker alone do not make a secure system if other components are not considered.

Implemented further checks if hacked passwords are used

When using a password strength checker the user can be sure to have chosen a high-quality password. Nevertheless, the user can not know if this password has been compromised before and hence can be found on lists of "pawned" (hacked) passwords somewhere in the dark web. If so, a formerly high-quality password becomes a weak password. Since computing power is getting cheaper and cheaper, hackers can afford to simply use entire pawned password lists and tests them in brute force attacks against databases.

To be on the safe side and to offer their users maximum security, portal providers should also continuously check these available pawned password lists and compare any entered password against them. If a user is entering a password which has been compromised and can be found on such a list, the user is to be warned immediately and asked to change his password.

The existence of such a checking mechanism can easily be verified by simply entering passwords like Password, Password123 or Password123$ in the registration process. Alternatively, the user can force a password reset within an existing account and choose one of the three passwords above. Should the system not warn the user about the compromised password status, the system is not following the latest security standards. To get an idea how such a warning function can look like, we invite you to have a look at Engity's homepage or Engity's demo version while registering and inputting e.g., Password123.

Check the Login Solution while Logging in

Carefully analyzing the processes while logging in to an access management solution can give valuable information about the quality and security of an authentication solution.

Separate login screen for username and password

The first observation a user can make while logging in is to see whether they have to enter their username and password on the same or two successive login pages. Even though the answer is less relevant from a security perspective, it gives an idea of the development team's experience with password login user interfaces and user experience. Hence, experts can make their first conclusion about the quality of a development team. Two pages access systems at least offer the possibility to implement smarter authentication flows and various access scenarios. The very fact that developers anticipate potential future adaptations (if not already implemented) speaks for a higher quality system.

Automatic lock-out functionality for too often wrongly entered passwords

A good access solution with automatic lock-out functionality will detect if a password is not entered correctly and temporarily lock the system to prevent offenders from gaining access to the system via brute force attacks. Depending on the strength of the solution, the lock is temporarily activated after the 3rd, 5th, xth or so (but latest after the 10th) attempt of entering incorrect passwords. Often the system already will lock for the first time after the 3rd attempt, e.g., for 10 seconds. The more incorrect passwords the user enters, the longer the lockout period becomes. After the 10th login attempt within minutes, it is common that the system "sleeps" for an hour or so. The lock-out aims to prevent hackers' bots to test millions of different passwords against the password login solution.

Such a lock-out function is one of the most important security features in any password authentication solution. Interestingly, however it is not commonly used by website or portal providers. It can only be tested by a user with a functioning username and password. Testing a solution for the lock-out function allows to better understand the security standards of the solution.

There are different versions of lock-out functions which also translate to different security levels. Having a lock-out function which tells the duration of the lock-out is user-friendly and better than not having a solution at all. However, informing the user (or the bot of the hacker) about the existence of a lock-out functionality as well as its duration allows to build and adapt the brute force attack accordingly.

Therefore, the best practice approach is to implement a silent automatic lock-out. This means that the user (or hacker) is informed that an incorrect username/password combination has been entered. The logic behind this message is that a user will usually reset their password after the third or fourth attempt. The hacker's bot instead does not get the information that the lock-out functionality has been activated and constantly keeps trying, locking the access solution even further.

Test routine for existence of lock-out feature

To test the existence of the lock-out feature within your authentication system, simply enter an incorrect password ten times within seconds or minutes. Directly after these attempts switch towards the correct password. If you get access to the system, you know that no lock-out functionality has been implemented. Contrarily, if you cannot login with the correct credentials, it is most likely that a lock-out features had been implemented. But no worries: Typically, latest after 24h idle time, the lock will re-open and you can re-login with the correct credentials. Alternatively, you can regain immediate access by using the password reset functionality.

Check the Login Solution with a Knowingly Non-Existing E-mail Account

You can check the quality of an authentication system by entering entries that are unexpected for the system. By entering such non-obvious entries, you can check if the IT team having built the access management system has experience building a secure system or not. The logic behind is that experienced IT professionals or developers which have implemented authentication solutions before, generally think about the so call unexpected entries and hence include a best practice solution for such cases.

Consequently, a professional access system does not let you know if the entered credentials exist or not. Hence, if you enter a non-existing e-mail as well as password, and the system let you know that the username does not exist or that the password is not correct, this is not a good sign.

Check the Login Solution while Resetting a Password

The first step in the password reset function evaluation is to look for the password reset function itself. If such feature is not available, this generally means that the authentication was implemented in an unfinished state. As a result, such a system is generally also not properly tested and most of the time not quality checked.

In case a password reset feature is existing, you can test the behavior of the solution with a non-existing e-mail address (e.g., abc@xyz.de). If the system returns the information that the user account does not exist in the database, this is a not a good sign. Instead, the best practice return message would inform you that the password reset request has been received and that an e-mail with instructions has been sent to the provided e-mail address (if available).

Contrary, the leakage of usernames in some solutions of Apple, Google, Microsoft may not be critical per se as most users have an account with these providers anyway and hiding the existence does not change much. Due to this non-changeable risk, the aforementioned players invest billions into security measures trying to reduce overall security challenges and vulnerabilities of their solutions as much as possible. For smaller players with fewer financial and IT resources, it makes a lot sense not to disclose users or usernames. They are security and data privacy relevant when used in certain contexts. To give an example: The possibility to test usernames on adult entertainment sites (e.g., casinos, hardcore gaming, sex or pornographic pages) can hurt reputation and data privacy rights of users. In another blog post we explain how known usernames can be used to compromise user accounts and the associated user data.

Overall Evaluation of the Implemented Authentication Solution

Above, we have discussed various points to consider when deciding if a login solution is probably a secure one or not. Nevertheless, there are more general considerations.

If the access solution consists of several authentication methods (e.g., password, passwordless, Social Login, Single sign-on) or several factors this generally is a positive sign and an indication for a certain experience of the provider with access management systems. On the other hand, such a broad security approach can also overwhelm an IT department while introducing the technologies or later within the daily operations.

To summarize, there is no quick and easy answer to the question of whether an evaluated solution is secure. If the majority of the above checks can be answered positively this is a good sign. Generally speaking, from a security standpoint, it can always be recommended to offer a two-factor authentication solution to protect users' data.