This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Testing for Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)

From OWASP
Jump to: navigation, search


Storing the password in a permanent cookie. The password must be hashed/encrypted and not sent in the clear.

At least without strong recommendations for the hashing/encryption I find it quite absurd to tell people to do this! But also in general my belief is that this is just wrong for several reasons.