This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:Testing for Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)

Jump to: navigation, search

Storing the password in a permanent cookie. The password must be hashed/encrypted and not sent in the clear.

At least without strong recommendations for the hashing/encryption I find it quite absurd to tell people to do this! But also in general my belief is that this is just wrong for several reasons.