https://wiki.owasp.org/index.php?action=history&feed=atom&title=Talk%3AAuthentication_Cheat_SheetTalk:Authentication Cheat Sheet - Revision history2026-04-28T18:26:31ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Talk:Authentication_Cheat_Sheet&diff=242688&oldid=prevGunnar Guðvarðarson: NIST Special Publication 800-63B2018-08-21T13:15:30Z<p>NIST Special Publication 800-63B</p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:15, 21 August 2018</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l35" >Line 35:</td>
<td colspan="2" class="diff-lineno">Line 35:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>[[User:Sven Neuhaus|Sven Neuhaus]] ([[User talk:Sven Neuhaus|talk]]) 03:48, 6 February 2015 (CST)</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>[[User:Sven Neuhaus|Sven Neuhaus]] ([[User talk:Sven Neuhaus|talk]]) 03:48, 6 February 2015 (CST)</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">=== Adapting the password complexity section to conform to NIST Special Publication 800-63B ===</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">I'd like to suggest replacing the password complexity section with [https://pages.nist.gov/800-63-3/sp800-63b.html#appA Appendix A of NIST Special Publication 800-63B]. [[User:Gunnar Guðvarðarson|Gunnar Guðvarðarson]] ([[User talk:Gunnar Guðvarðarson|talk]]) 08:15, 21 August 2018 (CDT)</ins></div></td></tr>
</table>Gunnar Guðvarðarsonhttps://wiki.owasp.org/index.php?title=Talk:Authentication_Cheat_Sheet&diff=189136&oldid=prevSven Neuhaus: some suggestions2015-02-06T09:48:32Z<p>some suggestions</p>
<p><b>New page</b></p><div>I have a few suggestions for this page:<br />
<br />
=== General Guidelines ===<br />
==== User IDs ====<br />
===== Email address as a User ID =====<br />
====== Validation ======<br />
<br />
"To ensure an address is deliverable, the only way to check this is to send the user an email and have the user take action to confirm receipt."<br />
<br />
Another, less obtrusive way of making sure an email address is deliverable is to use the "RCPT TO" command during a SMTP dialogue and making sure you get a "250" or "251" response. There may be a temporary error if the server uses greylisting.<br />
<br />
=== Password length ===<br />
<br />
Why is there the recommendation of having a maximum password length of 128?<br />
<br />
=== Password complexity ===<br />
<br />
This should mention UTF-8 characters, making sure they are legal to enter.<br />
<br />
=== Utilize Multi-Factor Authentication ===<br />
<br />
This should mention receiving the token via SMS as it is a separate channel (not the internet),<br />
which provides security benefits.<br />
<br />
=== Authentication and Error Messages ===<br />
==== Correct Response Example ====<br />
<br />
If the response doesn't specify whether the username is wrong (does not exist) or the password,<br />
that is an inconvenience for the user, especially if she/he doesn't notice the error.<br />
Many times, there is an alternative way of finding valid usernames anyway, so there is no additional security gained. Use good judgement.<br />
<br />
=== Use of authentication protocols that require no password ===<br />
<br />
Mozilla Persona is missing in this list, it seems to be the best solution in terms of privacy, its only problem is a lack of adoption, something this cheat sheet could change.<br />
<br />
[[User:Sven Neuhaus|Sven Neuhaus]] ([[User talk:Sven Neuhaus|talk]]) 03:48, 6 February 2015 (CST)</div>Sven Neuhaus