[MUSIC] Welcome back, in this lesson, we will talk about handling error
messages during authentication. We will briefly talk about how
to handle error messages and how to make them as generic as possible. The idea is, we want to make it harder for an attacker to be able to perform
user ID or password enumeration. Last, we'll briefly discuss
using logs to log authentication errors which will eventually help you if
you have to deal with a security incident. So after this lesson, you'll be able to
explain how to handle error messages and use logs to deal with
authentication errors. Let's get started. The idea is that we want
to make it harder for an attacker to be able to perform
user ID or password enumeration. Then we are going to mention quickly about
using logs to log authentication errors. And this will eventually help you if you
have to deal with a security incident. The idea or the name of the game
is during authentication, when there is an authentication error, they
get harder for an attacker to guess why. If this authentication error is
communicated to the user incorrectly, these error messages could be used by
an attacker to perform username or a password enumeration
against your system. I'm going to briefly
mention timing attacks and these timing attacks are basically attacks
where an attacker will determine on average how long it takes for the system
to respond when a user is authenticated correctly versus when a user
is authenticated incorrectly. If there is a significant average
discrepancy in the timing of those two, then they can guess what authentication
is correct and incorrect and can use that information for username or
password enumeration against your system. But however, it's good to know that some
web application frameworks take this into account. And they help with making it
such that the system responds roughly about the same amount of time
when a correct authenticated user is correctly authenticated. First is when a user is not authenticated
correctly because of a password issue. A couple of guidelines for how to handle
error messages during authentication. The idea is to create very generic
error responses during authentication. This holds true for HTTP or
HTML error responses. And error message sent back as
response of an authentication failure should not give information about
the status of the account or whether the username or
password was incorrect. For error messages relating
to an incorrect user ID or an incorrect password, you can say
something along the lines of login failed, incorrect user ID, or incorrect password. This sort of error message makes it
such that an attacker won't be able to determine a valid user ID
during an enumeration attempt. Last but not least, we want to log
password failures to our logging system, and you want to include the timestamp and
the username on that account. You also want to log all account lockouts,
and you want to include in your log your timestamp and
the username on that account. So you want to log this on the backend,
and of course, you don't want to give this
as feedback to the user. This is just for you for your system to
log, and this will help in the future. If an incident were to occur,
the incident response team can have this extra information for
them to conduct for their investigations. In summary, we want to handle error
messages during authentication in such a way that we send back to
the generic error message. And you want to do this in
order to make it harder for an attacker to perform user ID or
password enumeration. You also want to log
authentication errors or account lockouts in your logging
system in the server back end, and this is to help the incident response
investigators in the future. That's it for now, thanks for listening.