Testing for Weak password policy (OTG-AUTHN-007) - Revision history

Andrew Muller: Andrew Muller moved page Testing for Weak password policy (OWASP-AT-008) to Testing for Weak password policy (OTG-AUTHN-007): Align with Common Numbering

2014-08-05T13:27:27Z

Andrew Muller moved page Testing for Weak password policy (OWASP-AT-008) to Testing for Weak password policy (OTG-AUTHN-007): Align with Common Numbering

Jane O'Connor: Added Andrew's changes.

2014-08-01T19:50:54Z

Added Andrew's changes.

Jane O'Connor at 18:09, 14 May 2014

2014-05-14T18:09:30Z

Jane O'Connor: Final edit

2014-05-14T18:08:45Z

Final edit

Lvsteche: Minor corrections/rewrites.

2014-03-22T08:59:42Z

Minor corrections/rewrites.

Davide Danelon at 12:58, 7 March 2014

2014-03-07T12:58:29Z

Davide Danelon at 12:29, 7 March 2014

2014-03-07T12:29:50Z

Davide Danelon at 16:34, 6 March 2014

2014-03-06T16:34:08Z

Andrew Muller at 15:07, 6 November 2013

2013-11-06T15:07:56Z

Mmeucci: Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary ==
..here: we describe in "natural language" what we want to test.
== Description of the Issue ==
...her..."

2012-10-09T14:46:44Z

Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary == ..here: we describe in "natural language" what we want to test. == Description of the Issue == ...her..."

New page

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
 
..here: we describe in "natural language" what we want to test.
 
== Description of the Issue ==
 
...here: Short Description of the Issue: Topic and Explanation
 
== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
...

@@ Line 12: / Line 12: @@
-== Black Box testing ==
+== How to Test==
 # What characters are permitted and forbidden for use within a password? Is the user required to use characters from different character sets such as lower and uppercase letters, digits and special symbols?
@@ Line 24: / Line 24: @@
 == References ==
-* [[Brute_force_attack|Brute Force]] Attacks.
+* [https://www.owasp.org/index.php/Brute_force_attack Brute Force Attacks]
-* [[Password_length_%26_complexity|Password length & complexity]].
+* [https://www.owasp.org/index.php/Password_length_%26_complexity Password length & complexity]

@@ Line 25: / Line 25: @@
 * [[Brute_force_attack|Brute Force]] Attacks.
-* [[Password_length_%26_complexity|Password length & complexity]]
+* [[Password_length_%26_complexity|Password length & complexity]].
 == Remediation ==
 To mitigate the risk of easily guessed passwords facilitating unauthorized access there are two solutions: introduce additional authentication controls (i.e. two-factor authentication) or introduce a strong password policy. The simplest and cheapest of these is the introduction of a strong password policy that ensures password length, complexity, reuse and aging.

@@ Line 5: / Line 5: @@
 The most prevalent and most easily administered authentication mechanism is a static password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password and qwerty.
 == Test objectives ==
 Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords.
 == Black Box testing ==
-# What characters are permitted and forbidden for use within a password? Is the user required to use characters from different character sets such as lower- and uppercase letters, digits and special symbols?
+# What characters are permitted and forbidden for use within a password? Is the user required to use characters from different character sets such as lower and uppercase letters, digits and special symbols?
-# How often can a user change their password? How quickly can a user change his/her password after a previous change? Users may bypass password history requirements by changing their password 5 times in a row so that after the last password change they have configured their initial password again.
+# How often can a user change their password? How quickly can a user change their password after a previous change? Users may bypass password history requirements by changing their password 5 times in a row so that after the last password change they have configured their initial password again.
-# When must a user change their password? After 90 days? After account lockout due to excessive logon attempts?
+# When must a user change their password? After 90 days? After account lockout due to excessive log on attempts?
 # How often can a user reuse a password? Does the application maintain a history of the user's previous used 8 passwords?
 # How different must the next password be from the last password?

@@ Line 4: / Line 4: @@
 == Summary ==
-The most prevalent and most easily administered authentication mechanism is the humble password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password and qwerty.
+The most prevalent and most easily administered authentication mechanism is a static password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password and qwerty.
 == Test objectives ==
-Determine the resistance of the application's to brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords.
+Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords.
-== How to test ==
+== Black Box testing ==
-# What characters are permitted and forbidden for use within a password?
+# What characters are permitted and forbidden for use within a password? Is the user required to use characters from different character sets such as lower- and uppercase letters, digits and special symbols?
-# How often can a user change their password?
+# How often can a user change their password? How quickly can a user change his/her password after a previous change? Users may bypass password history requirements by changing their password 5 times in a row so that after the last password change they have configured their initial password again.
 # When must a user change their password? After 90 days? After account lockout due to excessive logon attempts?
-# How often can a user reuse a password? Does the application store the user's previous 8 passwords?
+# How often can a user reuse a password? Does the application maintain a history of the user's previous used 8 passwords?
-# How different must the next password be from the last password (or however many are stored by the application)?
+# How different must the next password be from the last password?
@@ Line 26: / Line 27: @@
 == Remediation ==
-To mitigate the risk of easily guessed passwords facilitating unauthorised access there are two solutions: introduce additional authentication controls or introduce a password policy. The simplest and cheapest of these is the introduction of a password policy that ensures password length, complexity, reuse and aging.
+To mitigate the risk of easily guessed passwords facilitating unauthorized access there are two solutions: introduce additional authentication controls (i.e. two-factor authentication) or introduce a strong password policy. The simplest and cheapest of these is the introduction of a strong password policy that ensures password length, complexity, reuse and aging.

@@ Line 21: / Line 21: @@
 == References ==
-See the OWASP article on [[Brute_force_attack|Brute Force]] Attacks.
+* [[Brute_force_attack|Brute Force]] Attacks.
 == Remediation ==
 To mitigate the risk of easily guessed passwords facilitating unauthorised access there are two solutions: introduce additional authentication controls or introduce a password policy. The simplest and cheapest of these is the introduction of a password policy that ensures password length, complexity, reuse and aging.

← Older revision	Revision as of 13:27, 5 August 2014
(No difference)

← Older revision		Revision as of 12:29, 7 March 2014
Line 18:		Line 18:
	# How different must the next password be from the last password (or however many are stored by the application)?		# How different must the next password be from the last password (or however many are stored by the application)?

−	~~=== Example ===~~
−
−
−
−	~~== Tools ==~~

	== References ==		== References ==

@@ Line 2: / Line 2: @@
-== Brief Summary ==
+== Summary ==
-<br>
-..here: we describe in "natural language" what we want to test.
+The most prevalent and most easily administered authentication mechanism is the humble password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password and qwerty.
-<br>
-== Description of the Issue ==
+== Test objectives ==
-<br>
-...here: Short Description of the Issue: Topic and Explanation
+Determine the resistance of the application's to brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords.
-<br>
-== Black Box testing and example ==
+== How to test ==
-'''Testing for Topic X vulnerabilities:''' <br>
-...<br>
+# What characters are permitted and forbidden for use within a password?
-'''Result Expected:'''<br>
+# How often can a user change their password?
-...<br><br>
+# When must a user change their password? After 90 days? After account lockout due to excessive logon attempts?
 == References ==
-'''Whitepapers'''<br>
-...<br>
-'''Tools'''<br>
+== Remediation ==
-...<br>