This mish-mash of security is the basis of Web login vulnerabilities and why passwords are often easily cracked. Be it form-based, HTTP Basic, or NT LAN Manager (NTLM) (the three main types of authentication that most applications use), any of them can be cracked when proper login controls are not in place. And they're usually not.
Some common vulnerabilities that I see that can easily lead to an attacker cracking Web passwords include the following:
* No intruder lockout after a certain number of failed attempts
* Intruder lockout time that's too short
* Allowing simultaneous logins from the same or multiple hosts
* Transmitting login traffic via HTTP and not using SSL (I know that's a slight contradiction to my typical stance that 'SSL adds little value,' but as you'll see below, it can be a problem.)
I'm surprised to find so many Web applications that have those general weaknesses. Be it in-house Web applications, off-the-shelf Web software for email/ecommerce/etc., or Web interfaces on critical network infrastructure hosts such as firewalls, routers, and physical access controls systems, the fact is they're everywhere. And they're not being properly tested for weaknesses. With the right tools, malicious intent and a relatively small amount of time, attackers can compromise your Web accounts, and odds are no one will ever know about it until it's too late.
Continue reading here....
