This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Weak password policy (OTG-AUTHN-007)"
(Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary == <br> ..here: we describe in "natural language" what we want to test. <br> == Description of the Issue == <br> ...her...") |
m (Andrew Muller moved page Testing for Weak password policy (OWASP-AT-008) to Testing for Weak password policy (OTG-AUTHN-007): Align with Common Numbering) |
||
(8 intermediate revisions by 4 users not shown) | |||
Line 2: | Line 2: | ||
− | == | + | == Summary == |
− | + | ||
− | .. | + | The most prevalent and most easily administered authentication mechanism is a static password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password and qwerty. |
− | + | ||
− | == | + | |
− | + | == Test objectives == | |
− | + | ||
− | + | Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords. | |
− | == | + | |
− | + | ||
− | . | + | == How to Test== |
− | ' | + | |
− | + | # What characters are permitted and forbidden for use within a password? Is the user required to use characters from different character sets such as lower and uppercase letters, digits and special symbols? | |
+ | # How often can a user change their password? How quickly can a user change their password after a previous change? Users may bypass password history requirements by changing their password 5 times in a row so that after the last password change they have configured their initial password again. | ||
+ | # When must a user change their password? After 90 days? After account lockout due to excessive log on attempts? | ||
+ | # How often can a user reuse a password? Does the application maintain a history of the user's previous used 8 passwords? | ||
+ | # How different must the next password be from the last password? | ||
+ | # Is the user prevented from using his username or other account information (such as first or last name) in the password? | ||
+ | |||
+ | |||
== References == | == References == | ||
− | + | ||
− | ... | + | * [https://www.owasp.org/index.php/Brute_force_attack Brute Force Attacks] |
− | + | * [https://www.owasp.org/index.php/Password_length_%26_complexity Password length & complexity] | |
− | ... | + | |
+ | |||
+ | == Remediation == | ||
+ | |||
+ | To mitigate the risk of easily guessed passwords facilitating unauthorized access there are two solutions: introduce additional authentication controls (i.e. two-factor authentication) or introduce a strong password policy. The simplest and cheapest of these is the introduction of a strong password policy that ensures password length, complexity, reuse and aging. |
Latest revision as of 13:27, 5 August 2014
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
Summary
The most prevalent and most easily administered authentication mechanism is a static password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password and qwerty.
Test objectives
Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords.
How to Test
- What characters are permitted and forbidden for use within a password? Is the user required to use characters from different character sets such as lower and uppercase letters, digits and special symbols?
- How often can a user change their password? How quickly can a user change their password after a previous change? Users may bypass password history requirements by changing their password 5 times in a row so that after the last password change they have configured their initial password again.
- When must a user change their password? After 90 days? After account lockout due to excessive log on attempts?
- How often can a user reuse a password? Does the application maintain a history of the user's previous used 8 passwords?
- How different must the next password be from the last password?
- Is the user prevented from using his username or other account information (such as first or last name) in the password?
References
Remediation
To mitigate the risk of easily guessed passwords facilitating unauthorized access there are two solutions: introduce additional authentication controls (i.e. two-factor authentication) or introduce a strong password policy. The simplest and cheapest of these is the introduction of a strong password policy that ensures password length, complexity, reuse and aging.