User accounts are still the number one target for hackers today. The reason for this is that with a legitimate user account you can access, control, and change all of the information available to that user. To achieve this level of control through a software vulnerability can be incredibly difficult, if not impossible. Yet, with the right username and password, you can do all sorts of incredible things that you shouldn’t. When used as intended, user accounts are very valuable. When used by criminals they are incredibly powerful and dangerous. And, as we will cover in this course, they are really easy to hack.
In this course, I’ll be focusing specifically on how hackers target user accounts and how we can defend them against criminals attacks. To do this we need to understand how user accounts work, how developers write user functionality in software applications, how criminals attempt to bypass the controls we put in place, and we can mitigate the constantly evolving threats we face every day.
Contents
- Introduction
- What is a User Account and How Do They Keep Things Secure?
- Types of User Accounts and Ways to Find Them
- Enumerating user accounts to find targets to attack
- Everything you need to know about passwords
- How people think when creating passwords
- How to brute force attack a single user account
- How to brute force protections can create a denial of service attack
- How to use password spraying attacks against multiple accounts
- Password reuse and how it makes us vulnerable
- Password hashes and how to crack them
- How to increase the strength of password hashes
- How password resets work and how to abuse them
- Phishing attacks
- Why Multi-Factor Authentication helps but isn’t perfect
- The problem with phonecall or SMS based multi-factor authentication
- Authenticator apps and hardware tokens – a better way to MFA
- Other ways to bypass MFA
- Federated identities and single sign-on
- Why not everything uses SSO and how it leaves things vulnerable
Next: Introduction