This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Category:WASS Credentials

Jump to: navigation, search

Deploy mechanisms to enhance the security of authentication credentials used.

Login credentials are invariably the only access control mechanism between legitimate users and hackers. The application must therefore be resilient to brute-force attempts, and information about users being leaked.

  1. Password Complexity for all accounts
    1. Password should contain a minimum of one alphabetic, one numeric and one special character
    2. Passwords should be at least seven (7) characters in length. No reasonable maximum should be restricted
    3. Passwords should be case sensitive
  2. Account lockout
    1. Deploy reasonable account lockout mechanisms if permitted by the business requirements of the web application
  3. Authentication mechanism to occur over a secure channel
    1. Login form (or FRAME) should reside on a page that is served by SSL
    2. Usernames and passwords should always be passed on to the application over SSL.
  4. A clearly defined log out button must be present.
  5. Passwords should not be stored in clear text (Hash or encrypt before storing). [ACCESS REQUIRED]

This category currently contains no pages or media.