binding session tokens to clients, 139–141
birthday attacks, 181
blocking
administrator logins, 73–75
basic authentication without SSL, 70–72
brute-force attacks, 78–86
blocking HTTP verbs, 95–97
Browser property, 208
brute-force attacks
and asymmetric cryptography, 177–178
avoiding easily guessed credentials, 10–12
blocking, 78–86
changing passwords, 25–27
countermeasures, 78–85
creating random numbers, 187–188
on cryptographic systems, 155
defined, 2
detecting, 85
enforcing strong passwords, 4–10
and hashing algorithms, 179–186
locking accounts against, 79–81
password aging and history issues, 22–25
password authentication delay, 81–82
preventing credential harvesting, 13–16
protecting communications with SSL, 196–198
protecting secrets, 190–195
resetting lost or forgotten passwords, 28–42
session token threats, 112
signing XML data, 348–357
and symmetric cryptography, 156–177
tools for cracking passwords, 10
BugTraq, 206