This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below.
Login Service Security
17 Dec 2013 – Rachel Engel
Web application login services are deceptively simple to develop, leading application developers to repeat the mistakes of the past. Learning from the best available mitigations for login service vulnerabilities can have a significant organizational impact in terms of protecting customers and reducing costs related to account breaches.
This paper explores login service security using attack and defense patterns and anti-patterns, offering application developers an easy to follow guide to correctly writing login services. While brute force attacks can’t be completely stopped, they can be drastically reduced using a few simple techniques.
The paper can be downloaded below