Question

What are the stages of preliminary risk assessment? What information should be included in a misuse case? Suggest two possible vulnerabilities when login/password authentication is used?

Answer 1

five steps to risk assessment.

1.Identify the hazards.

2.Decide who might be harmed and how.

3. Evaluate the risks and decide on precautions.

4.Record your findings and implement them.

5.Review your risk assessment and then update if it is necessary.

possible vulnerabilities when login/password authentication is used:

User-Generated Credentials:

Since users have to create their own passwords, there’s always a chance that they won’t create secure credentials. most of the user-generated passwords are considered weak and easily vulnerable to hacking.

Whether it’s because users we want to have a password that’s easy to remember, they aren’t up to date on password security best practices, or subconsciously use patterns to generate their passwords, this type of authentication has its flaws.

Even if your website is equipped with a password strength-checking tool, the results can be inconsistent and inaccurate, often leading users into a false sense of security. the password should contain atleast 8 characters and that characters should contain uppercase letters and lowercase letters numbers from 0 to 9 and also the special characters so that the password will be strong and anyone cannot be known.

Brute-Force Attacks:

a brute-force attack occurs when a computer program runs through every password combination until they find a match. The system will run through all one-digit combinations, two-digit combinations, and so forth until it cracks your password. Some programs specifically focus on combing through the most commonly used dictionary words, while others target popular passwords against a list of possible usernames.

As technology evolves, hackers use to crack people’s credentials. Aside from merely guessing your password, a brute-force attack is the most common technique hackers use.

these systems are able to run through thousands of combinations in less than a second, which means that shorter passwords can be cracked in a very short time frame.

How can I secure against brute-force attacks:

The limit for IP addresses should be more than the limit for users. This is because multiple accounts could be using the same IP address

Once a user has reached the allowed number of requests, the account should be blocked for a short period of time.

if there has been a lot of unusual behavior from a specific IP address, it might be in your website’s best interest to permanently block it from making login attempts. However, blocking IP addresses also runs the risk of excluding real users, so you will want to be careful.