21. Threats & Mitigations
Threat Mitigation
Online attack against one user Password policy
Online attack using stolen device cookies Limited, prevent cookie leaks
Online attack against multiple users Not mitigated
Spoof device cookie Crypto
Tamper with existing device cookie Crypto
DoS for specific account OOB device cookie issue
DoS for specific account when client is used by
different accounts
Device cookies per account
22. Implementation recommendations
Use good crypto, like HMAC-SHA2 or signed JWT.
Prevent cookie leakage with Secure & HttpOnly flags.
Issue cookie for valid reset password link.
Issue new device cookie after each successful login.
Include user ID into cookie name (privacy concerns?).
23. References
OWASP: Slow Down Online Guessing Attacks with Device Cookies
PasswordsCon, and specific talks from PasswordsCon 14:
• Marc Hause talk Online Password Attacks
• Alec Muffet talk Facebook Password Hashigh & Authentication
An Administrator’s Guide to Internet Password Research