This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:Authentication Cheat Sheet

Jump to: navigation, search

I have a few suggestions for this page:

General Guidelines

User IDs

Email address as a User ID

"To ensure an address is deliverable, the only way to check this is to send the user an email and have the user take action to confirm receipt."

Another, less obtrusive way of making sure an email address is deliverable is to use the "RCPT TO" command during a SMTP dialogue and making sure you get a "250" or "251" response. There may be a temporary error if the server uses greylisting.

Password length

Why is there the recommendation of having a maximum password length of 128?

Password complexity

This should mention UTF-8 characters, making sure they are legal to enter.

Utilize Multi-Factor Authentication

This should mention receiving the token via SMS as it is a separate channel (not the internet), which provides security benefits.

Authentication and Error Messages

Correct Response Example

If the response doesn't specify whether the username is wrong (does not exist) or the password, that is an inconvenience for the user, especially if she/he doesn't notice the error. Many times, there is an alternative way of finding valid usernames anyway, so there is no additional security gained. Use good judgement.

Use of authentication protocols that require no password

Mozilla Persona is missing in this list, it seems to be the best solution in terms of privacy, its only problem is a lack of adoption, something this cheat sheet could change.

Sven Neuhaus (talk) 03:48, 6 February 2015 (CST)

Adapting the password complexity section to conform to NIST Special Publication 800-63B

I'd like to suggest replacing the password complexity section with Appendix A of NIST Special Publication 800-63B. Gunnar Guðvarðarson (talk) 08:15, 21 August 2018 (CDT)