|
|
| (168 intermediate revisions by 25 users not shown) |
| Line 1: |
Line 1: |
| − | = Introduction = | + | __NOTOC__ |
| | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | '''Authentication''' is the process of verification that an individual or an entity is who it claims to be.
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| − | Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.
| |
| | | | |
| − | '''Session Management''' is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsiquent requests throughout a transaction.
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html Authentication Cheat Sheet] to see the latest version of the cheat sheet. |
| − | Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when mtransmitting and receiving requests.
| |
| − | Sessions should be unique per user and computationally very difficult to predict.
| |
| − | | |
| − | For more information on Authentication, please see the OWASP [[Guide_to_Authentication]] page.
| |
| − | | |
| − | = Authentication General Guidelines =
| |
| − |
| |
| − | == Implement Proper Password Strength Controls ==
| |
| − | | |
| − | A key concern when using passwords for authentication is password strength. A "strong" password policy makes it difficult or even improbable for one to guess the password either by using manual or automated means. The following characteristics define strong a strong password:
| |
| − | | |
| − | 1.Password Length
| |
| − | | |
| − | The longer the password the more combinations possible combinations of characters exist and is hence more difficult to guess.
| |
| − | | |
| − | <br>
| |
| − | | |
| − | '''Important applications''': Minimum of 6 characters in length.
| |
| − | | |
| − | '''Critical applications''': Minimum of 8 characters in length. (consider multi-factor authentication)
| |
| − | | |
| − | '''Highly critical applications''': Consider multi-factor authentication
| |
| − | | |
| − | <br>
| |
| − | | |
| − | 2. Password complexity
| |
| − | | |
| − | '''Example'''<br>Passwords should be checked for the following composition or a variance of such:
| |
| − | | |
| − | *at least: 1 uppercase character (A-Z)
| |
| − | *at least: 1 lowercase character (a-z)
| |
| − | *at least: 1 digit (0-9)
| |
| − | *at least one special character (!"£$%&...)
| |
| − | *a defined minimum length (e.g. 8 chars)
| |
| − | *a defined maximum length (as with all external input)
| |
| − | *no contiguous characters (e.g. 123abcd)
| |
| − | *not more than 2 identical characters in a row (1111)
| |
| − | | |
| − | == Implement Secure Password Recovery Mechanism ==
| |
| − | == Utilize Multi-Factor Authentication ==
| |
| − | == Transmit Passwords Only Over TLS ==
| |
| − | == Implement Account Lockout ==
| |
| − |
| |
| − | = Session Management General Guidelines =
| |
| − |
| |
| − | == Transmit Session ID's Only Over TLS ==
| |
| − | == Ensure Session ID's are Cryptographically Strong and Random ==
| |
| − | == Implement Idle And Absolute Timeout ==
| |
| − | == Caching & Privacy ==
| |
| − | == Cookie Security ==
| |
| − | | |
| − | {{Cheatsheet_Navigation}}
| |
| − | | |
| − | = References =
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | Eoin Keary eoinkeary[at]owasp.org
| |
| − | | |
| − | [[Category:How_To]] [[Category:Cheatsheets]] [[Category:OWASP_Document]] [[Category:OWASP_Top_Ten_Project]]
| |
