This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

H1. Protect your secrets

From OWASP
Jump to: navigation, search


Description: Passwords are a shared secret between a user and the system providing access and the most common way to authenticate to systems, applications, and services. Authentication is how a person or system proves their identity. Three methods of authentication are: provide something you know, something you have, or something you are. Passwords fulfill the first condition, something you know. People and systems authenticate by providing something only they know, therefore proving their identity. Weak password handling vulnerabilities are weaknesses in the handling, storage, and use of passwords. Many sites use security questions such as asking for your mother’s maiden name when you want to reset a forgotten password. This practice has the problem that it often relies on easily guessable information and more importantly this cannot be changed if a data breach at a provider happens.

Threats: The exposure of passwords through mishandling or improper storage could allow discovery and use by attackers to access online services or data.

Impact: Weak password handling can result in the unauthorized access and compromise of data or systems.

Recommendations:

Consumers should focus on:

1. Use different passwords for each site
2. Use long passwords not based on a dictionary word
3. Don’t share your password

Tech-savvy users should also:

1. Use a password manager
2. Enable 2-factor authentication
3. Select fake and/or random answers for security questions

Example: Using an easily guessed password, such as ‘Password’ on your email account would allow an attacker to access your email. Even if it is not an account you actively used, it may be used by accounts for password resets or as backup recovery emails. It could also be used to send email from an attacker under your name.