https://wiki.owasp.org/index.php?action=history&feed=atom&title=Category%3AWASS_Credentials 2026-04-11T15:14:43Z Revision history for this page on the wiki MediaWiki 1.27.2 https://wiki.owasp.org/index.php?title=Category:WASS_Credentials&diff=2730&oldid=prev 2006-05-19T04:17:59Z

<p></p> <p><b>New page</b></p><div>== Deploy mechanisms to enhance the security of authentication credentials used. == <br /> <br /> Login credentials are invariably the only access control mechanism between legitimate users and hackers. The application must therefore be resilient to brute-force attempts, and information about users being leaked.<br /> <br /> #Password Complexity for all accounts<br /> ##Password should contain a minimum of one alphabetic, one numeric and one special character <br /> ##Passwords should be at least seven (7) characters in length. No reasonable maximum should be restricted<br /> ##Passwords should be case sensitive<br /> #Account lockout<br /> ##Deploy reasonable account lockout mechanisms if permitted by the business requirements of the web application<br /> #Authentication mechanism to occur over a secure channel<br /> ##Login form (or FRAME) should reside on a page that is served by SSL <br /> ##Usernames and passwords should always be passed on to the application over SSL.<br /> #A clearly defined log out button must be present.<br /> #Passwords should not be stored in clear text (Hash or encrypt before storing). '''[ACCESS REQUIRED]'''</div>

MikeAndrews