Information systems in the digital age have become increasingly dependent on databases to store a multitude of fundamental data. A key function of structured databases is to house authentication credentials that verify identity and allow users to access more salient personal data. Authentication databases are frequently a target of attack as they potentially provide an avenue to commit further, more lucrative crimes. Despite the provision of industry standard best practice recommendations from organisations such as Open Web Application Security Project (OWASP), Payment Card Industry Security Standards Council (PCI-SSC), Internet Engineering Task Force (IETF) and Institute of Electrical and Electronics Engineers (IEEE), often practical security implementations within industry flounder. Lacking or substandard implementations have cultivated an environment where authentication databases and the data stored therein are insecure. This was demonstrated in the 2016 exposure of a breach experienced by Yahoo where approximately one billion user credentials were stolen. The global technology company was found to be using obsolete security mechanisms to protect user passwords. Dated implementations such as these pose serious threat as they render authentication data highly vulnerable to theft and potential misuse. This paper offers a novel solution for securing authentication databases on non-compliant Apache servers. The method applies the recommended best practice mechanisms in the form of salt, one-way encryption (hashing) and iterations to both pre-existing and newly created passwords that are stored on insecure systems. The proposed solution can be implemented server-side, with little alteration to the existing infrastructure, unbeknownst to the user. It possesses the potential to improve system security, aid compliance, preserve privacy and protect users.
|Number of pages||6|
|Publication status||Published - 21 Jun 2017|
|Event||28th Irish Signals and Systems Conference - Killarney, Co. Kerry, Ireland|
Duration: 20 Jun 2017 → 21 Jun 2017
|Conference||28th Irish Signals and Systems Conference|
|Period||20/06/17 → 21/06/17|
- user credentials