{% extends 'core/Identification and Authentication Failures/IA-Failures.html' %} {% load static %}
The most reliable way to prevent credential stuffing is two-step verification. Meaning every time somebody connects to a selected account from a new location or device, the website asks for confirmation via email or other means. Or you can compare incoming passwords with libraries or APIs of pwned passwords. For example haveibeenpwned.com
There are many ways you can limit and make brute force attacks harder. There is no way to stop them completely, but you can make them nearly impossible. First a foremost is not to allow weak passwords. Let's see an exemplary code in python and how you could do that.
import re
def check_password(password):
errors = []
usable = True;
if len(password) < 8:
errors.append("Password must be longer than 8 characters")
usable = False
if not re.search('[a-z]',password):
errors.append("Password must contain at least one small letter")
usable = False
if not re.search('[A-Z]',password):
errors.append("Password must contain at least one big letter")
usable = False
if not re.search('[0-9]',password):
errors.append("Password must contain atleast one number")
usable = False
if usable:
return
else:
for error in errors:
print(error)
return False
print(check_password("123"))
Password must be longer than 8 characters
Password must contain at least one small letter
Password must contain at least one big letter
print(check_password("123asdaa"))
Password must contain at least one big letter
print(check_password("Asj32rsdf3kd"))
None
This approach is a very simple way to check for password safety. To be even more secure, you can compare the passwords with a list of the most commonly used passwords. Another security layer would be to kick users out after a certain amount of requests in a specified time.
In most cases, frameworks have session ID hiding already implemented. Frameworks use the method of hiding session IDs in the cookies. An example is csrf_token in Django. Another example is .NET which has to store in cookies inaccessible by client scripts set by default. Therefore, nowadays, you do not need to worry about exposed session IDs.
If you are curious, you can also look at your session ID. The process is as follows:
And there you are, depending on the web you are using, there might be none, one, or much information to
see.
For example: