Looking for feedback. I am building a django app where users are given randomly generated passwords.
Currently, the password is being generated using the make_random_password() function in django auth.
However, early feedback is that the emails are too hard to remember (even though the users can change them).
This is a closed (invite only) app, but it lives on the internet. with about 600 users total. I had a solution that I feel is is somewhat insecure, but I wanted to run it by SO users, as it solves the feedback issue
In my settings.py file, I have created two lists, one contains about 20 car names, the other about 40 verbs (which are capitalized).
I was going randomly select one from each list, join them together and then append a few random chars to the end.
All passwords would be at least 9 chars long and when saved are hashed using django's set_password() function
The biggest issue I see is that if someone were to gain access to the SFTP server they would then have access to my code AND hence a template for cracking the pwords.
BUT they would also have db access etc, so is it really a concern?
You should always assume that the attacker has access to your password generation scheme. Basing your security on the assumption that he doesn't is trusting security through obscurity. Obscurity can give a nice security bonus but you should never rely on it.
You must assume the attacker knows the content of both lists. For example he can simply register about 40 times, and then knows a significant part of them.
Your car-names combined with the verbs have about 9.6(=log2(20)+log2(40)) bits of entropy. Corresponds to about 2 random characters. That's very low.
Can you force a password change the first time a user logs in? Or, if all your users have already been logged in, force a password change the next log in? That way, you can keep the more secure passwords and users can't complain about the randomly generated password being hard to remember because they have to change them to something they do remember.
How about using an OpenID system, so they don't have to remember yet another password. There's some Django integration on the interwebs. The downside is that you'll need to know their OpenID in order to add them to the auth DB before you send out the invites...
The Concept of doing a random password generation as far as you have a flag stating which random password generation pattern used for generating the password as you need to check the password in later sign ins.. are you doing that? If yes then add a salting pattern to make it secure and finally a hash of the overall salt generated will be more safe. Try this ..
Related
I've a web portal where user comes in and post his/her images. Now there's a contest running where people can pool in their photos and whoever has maximum likes on its image wins the contest.
So, the problem that I'm facing is one user can register as many accounts as he/she wants and like his/her own image. This will increase the number of likes on the image and the user will win, not legally but its a fraud.
So, is there any way in which I can restrict a only 1 signup from one computer. OR is there any other better way of handling this, even if I can minimize this behaviour it will be of good help.
One method I thought of is I can ask for user's phone number and can verify using an OTP. What cab be other ways of finding the fraud accounts?
Is there any way in which I can get the unique identity of the system(probably MAC address) in Django request variable via which I can allow only 1 user registration per system?
There's no foolproof way, but you can make it harder for fake users with the following steps:
Show a captcha to prevent automated sign-ups.
Track IP address when users sign-up and try to find patterns e.g. too many sign-ups from a single IP could signal fraud. It's also possible that the IP belongs to an organization and the users are genuine.
Check for suspicious IP addresses (e.g. those through VPN or cloud service providers e.g. AWS). You'll have to use a service that identifies VPN specific IP addresses. Also see : https://security.stackexchange.com/a/85416
If you want to get more technical, you could look at the highest liked photos and see if the users who liked it also liked other pictures. Look for tell tale signs. This could give you a pattern to distinguish fake & genuine likes.
Browser fingerprint
P.S. Phone number verification is also a good option since getting a disposable phone number usually isn't free. There are a few disposable free numbers that you could blacklist (search for free disposable phone number).
It is important to focus your effort on the problem. The problem that you want to solve is that people can like their own images to artificially increase their own score.
To be most effective, target the problem (multiple likes) instead of the side-issue (multiple registrations).
Here are some simple suggestions:
Prevent multiple likes from a single IP on a single image
Set a cookie when a like is given; if the cookie is set, do not accept more likes
Add a CAPTCHA. (This won't prevent multiple manual submissions, but will limit automated ones.)
There is nothing wrong with limiting registrations, but be sure to take steps first that address the core problem.
Good Afternoon,
I am hoping someone might be able to help me with a concept. I have a websocket server which pushes JSON messages out to users, I have coded in a number of admin functions for pushing broadcasts out to users, as well as disconnecting users if needed.
One of the things I would like to be able to do though is to come up with a 'near' foolproof way of 'banning' users from connecting to the server if required. This is where I am a bit lost, if I go the cookie route then it is possible that the cookies get cleared and it no longer works, I can't use the session ID either as once they disconnect they get a new session ID, and the IP address is also problematic as many would be on mobile dynamic connection.
Id appreciate any tips on how to best achieve a way of remembering the users so if I ban them, when they go to reconnect I can prevent them.
The server I am running is the supersocketserver whilst the client is HTML5.
Given your current constraints, there is no "foolproof" way to ban a person from accessing your web site.
For privacy reasons, there is no permanent way to identify a given browser. There are cookies, there are IP addresses, there are even some evil "perma-cookies" that attempt to store little pieces of identifying information in lots of places (such as flash cookies and other plug-in data) to try to make it difficult (but not impossible) for users to clear them. As you're already aware, IP addresses are not permanent and are not always tied to just one user either.
And, of course a user can certainly just use a different browser or computer or mobile device.
So, the usual way to control access is to require a user to create an account in your system before they can use your service. Then, if you want to ban a user, you ban that account. Since you will want to prevent the user from just creating a new account, you can collect other identifying information upon account registration. The more info you require and can verify, the harder it is for users to create more and more accounts. This gets to be quite a bit of work if you really want to make it difficult for users to create more accounts because you need to require pieces of identifying information that you can both verify and are hard for a rogue user to duplicate (credit cards, email addresses, home addresses, etc...). How far you go here and how much effort you put in is up to you on how much you want to keep a banned user out.
I want to encrypt a given data using the log-in user's password on a windows machine using WINAPI. I've been looking for a function that uses a token (or something like that) but I couldn't find one.
Does anyone know how to do that?
Thanks! :-)
The Windows Data Protection API sounds like what you need. The CryptProtectData and CryptUnprotectData functions perform encryption using the logon credentials of the current user.
I had written this answer earlier but then reconsidered, since I hadn't heard of the DPAPI before. However, upon some further consideration, I'd like to offer the following opinion. The important preface here is that it all depends on your needs, though. Two conflicting possibilities come to mind:
You want to offer your user complete protection and encryption that the user can trust only she will be able to decrypt, no matter the circumstances.
You're an enterprise IT manager and have all employees on a tight leash. You want them to encrypt business data as part of their workflow so that they cannot see each other's data, but the admins can happily read everyone's data.
If you're in situation (2), then stop reading now and go with DPAPI, which is well suited to that case. If you prefer scenario (1), then read my original answer below.
That's probably not a good idea. Here's why:
The actual password will not be stored on the system (unless you have Windows 3.11 or something like that). Instead, only a hash of the password will be stored, and at login time the password that the user enters is hashed and compared to the stored hash.
So at best you could retrieve the stored hash from the system (if you have admin rights, say). However, if that's the only datum you can go on, then any encryption key you make will be derived from that hash, rather than from the actual password. Thus anyone with access to the system could get to the stored hash, and from there derive the encryption key with relative ease.
In short, don't. Ask the user for a dedicated, fresh password for your data and use it for only that.
use Kerberos (Linux-based authentication server, or other servers using Kerberos) / LDAP framework (Windows server) instead of designing your own login algorithm.
Windows Platform SDK & 3rd-party libraries have connectors with these frameworks.
More information in MSDN about Kerberos: http://msdn.microsoft.com/en-us/library/ff649429.aspx
How to safely store a password
Win32 bcrypt: http://msdn.microsoft.com/en-us/library/aa375421%28v=vs.85%29.aspx
I've been thinking a lot about this recently, and I wanted to know if anyone has thought of/implemented any intuitive ways of securing cookies from manipulation. I've always used the "sign it with a hash and check against the hash later" approach, but it doesn't strike me as a particularly brilliant way of going about it, and just like all good programmers I want to find a better way of doing it.
As for why cookies specifically, well, I don't use native sessions - I hate to touch the filesystem. Cookies are a really quick way of storing data for later, and even with things such as user authentication I'll chuck the user ID in the cookie, perhaps along with the username/email and a signature, as well as a random hash for good measure.
What clever ways have you used to secure your cookie data?
Uh, you're storing the UserID in the cookie and giving the user access based on that value? You're asking for trouble. Server session based data implementations exist for a good security reason: Store a session identifier in the cookie and access the UserID from the record on the server where the client can't tamper with it.
Cookie security to protect against client tampering is pretty much a lost cause. Given enough time, someone will figure out how to crack it. Don't give clients that opportunity. Cookie security's only purpose is to make sure client's cookies aren't stolen.
Signing the cookie with a HMAC is a perfectly reasonable way to do this. HMAC essentially rolls a secret key known only by your server into the hash, so even someone who knows the algorithm can't generate a HMAC that will be recognized as valid without knowing the key. Just using a plain old hash is trivially bypassable because the attacker can generate valid hashes of their own data, and all the "salt" in the ocean won't fix that.
Even if you used a session ID instead of storing meaningful values, you still would have to be careful that an attacker couldn't predict another valid session ID, and send that to you instead, thus hijacking the other user's session. I believe there was an actual exploit against Hotmail that worked this way.
Encrypting the cookie only helps you if there's something in there you don't want the user to see. Even worse, encryption without an HMAC gives a false sense of security because a cookie that is merely encrypted is still vulnerable to manipulation of the ciphertext to change parts of the plaintext.
So in summary, don't just hash it, use an HMAC!
With hashing you need to be very careful that you have included a salt, otherwise it can be trivial to determine a matching hash.
Thus, to protect against accidents, it's often appropriate to also encrypt the cookie.
-- edit
You may also like to learn about 'HTTPOnly' cookies: http://www.owasp.org/index.php/HTTPOnly
On the Security Now podcast (i forgot which episode), Steve Gibson talks about doing something like this and i think the system he recommended was to make the contents of the cookie a good hash, then make that hash a key in your local database where the value(s) is(are) all of the info that it needs to store.
I'm creating a website and I don't want to have user/membership.
However, people using the site can do things like vote and flag questionable content. Is the only way to identify and prevent users from doing this repeatedly by using cookies?
I realize a user can just clear their cookies but I can't think of another way.
Suggestions for this scenario?
Well you could map a cookie + ip-adress in a datarecord in your database. To identify the user. So if the ip exists in the database, you simply just add the cookie, but check the cookie first to avoid unessesary database calls.
This is not optimal though, since schools etc might have the same ips on a lot of computers.
You can always just adapt openid!
Marko & Visage are correct,
Just to add though, you might want to store each vote with the timestamp,IP, etc... so at least if someone does try to "game" your site, you'd be able to rollback sets of votes made from the same location or within a very short amount of time (i.e. from a bot)
+1 To all that others have already said. Here's another middle-way idea:
Use cookies as primary means of limiting voting. If a cookie is not found, check the IP address. Allow no more than, say, 1 vote per 5 minutes from the same IP.
Cookies are not enough, as you said it could be cleared/expired.
IP address tracking is also not an option because of DHCP and firewalls.
The only thing that is ~100% sure is users, but then again, one person can register multiple accounts.
I'll go with cookies, as the simplest ant least obtrusive way. If someone really wants to play the system, he will find a way whatever you try to prevent it.
Even with membership a user can register multiple times and vote.
Cookies are one way to handle this but people who know that they can delete cookie can vote again.
You can catch the IP of the voter and restrict based on that. But many people will have same IP.
Sadly there is no other way.
Yes, you are right.
HTTP is stateless, so there is no way of determining if the origin of a request you receive now is the same or different to the origin of a request you received, say, 5 minutes ago.
Cookies are the only way around this. Even server side sessions rely on cookies to maintain session identity across requests (ignoring the security nightmare of passing the sesison ID in the URL, which anyone with malicious intent can sidestep trivially).
There will always be people gaming the system if it suits them. Moreover, if you make it such that you don't need cookies at all you'd be open to very simple attacks.
I think you'll want to consider ways to increase the economic cost of users operating under a cloud of suspicion.
For example, if a user with the same cookie tries to re-submit the vote, that can obviously be stopped easily.
If a user with a different cookie but from the same IP does the same thing, it could be coming from a proxy/firewall so you may want to be cautious and force them to do something extra, like a simple CAPTCHA. Once they've done this, if they behave properly nothing new is required as long as their new cookie stays with them.
This implies that people without cookies can still participate, but they have to re-enter the letter sequence or whatever each time. A hassle, but they're likely used to sites not working without cookies. They'd be able to make an exception if required.
You really won't be able to deal with users sitting over a pool of IPs (real or otherwise) and exploiting new and dynamic attack vectors on your site. In that case, their economic investment will be more than yours and, frankly, you'll lose. At that point, you're just competing to maintain the rules of your system. That's when you should explore requiring signup/email/mobile/SMS confirmation to up the ante.
You can add GET variables and URL parts to serve as cookies - some sites do that to allow logins and/or tracking when cookies are disabled. Generate the part using source IP and user agent string, for example.
site.com/vote?cookie=123456
site.com/vote/cookie123456