This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Consumer Best Practices"
From OWASP
| Line 4: | Line 4: | ||
== Weak password handling == | == Weak password handling == | ||
| − | * | + | '''Description:''' |
| − | * Password Manager | + | Passwords are the most common way in which application and services allow us to authenticate ourselves. We authenticate by providing something known only to us to the system, therefore proving we are who we have identified ourselves as.... |
| − | * Strong Passwords | + | |
| − | * | + | '''Threats:''' |
| − | * | + | Easy to guess passwords allow... |
| + | |||
| + | '''Impact:''' | ||
| + | Weak password handling can result... | ||
| + | |||
| + | '''Recommendations:''' | ||
| + | * Use Multi-factor Authentication, especially on important accounts | ||
| + | * Use a Password Manager | ||
| + | * Use Strong Passwords | ||
| + | * Avoid using the same password across different accounts | ||
| + | * Do not answer security questions with easily identifiable or enumerable answers | ||
* Don't allow browsers to store passwords | * Don't allow browsers to store passwords | ||
| + | * Do not share your passwords | ||
==Information Disclosure/Sensitive Data Exposure== | ==Information Disclosure/Sensitive Data Exposure== | ||
| Line 16: | Line 27: | ||
* Giving information away | * Giving information away | ||
| − | ==Trusting Untrusted Sources | + | ==Trusting Untrusted Sources== |
* Untrusted Sources | * Untrusted Sources | ||
* WiFi | * WiFi | ||
* Downloading files from untrusted sources | * Downloading files from untrusted sources | ||
* Clicking on links from unknown or unverified sources | * Clicking on links from unknown or unverified sources | ||
| + | * Review credit reports | ||
| + | * Review unknown uses of online accounts | ||
| + | * Subscribe to a credit monitoring service | ||
| + | * Freeze credit | ||
==Lack of Proper Encryption in Transit== | ==Lack of Proper Encryption in Transit== | ||
| Line 46: | Line 61: | ||
* Password protect all devices | * Password protect all devices | ||
| − | == | + | ==Lack of Proper Protection for Personal Devices and Network== |
| − | * | + | * Use Personal Firewalls |
| − | * | + | * Properly Secure Wireless Access Points |
| − | * | + | * Use Intrusion Detection Services |
| − | * | + | * Use anti-virus |
| + | * Learn to recognize threats? | ||
Revision as of 05:03, 14 June 2016
- 1 Potential OWASP Consumer Top Ten
- 1.1 Weak password handling
- 1.2 Information Disclosure/Sensitive Data Exposure
- 1.3 Trusting Untrusted Sources
- 1.4 Lack of Proper Encryption in Transit
- 1.5 Lack of Proper Encryption at Rest
- 1.6 Using Components with Known Vulnerabilities (Should configuration and patching be 2 separate?)
- 1.7 Running Unnecessary Software or Services
- 1.8 Poor Physical Security
- 1.9 Lack of Proper Protection for Personal Devices and Network
Potential OWASP Consumer Top Ten
Safe practices for consumers on the web.
Weak password handling
Description: Passwords are the most common way in which application and services allow us to authenticate ourselves. We authenticate by providing something known only to us to the system, therefore proving we are who we have identified ourselves as....
Threats: Easy to guess passwords allow...
Impact: Weak password handling can result...
Recommendations:
- Use Multi-factor Authentication, especially on important accounts
- Use a Password Manager
- Use Strong Passwords
- Avoid using the same password across different accounts
- Do not answer security questions with easily identifiable or enumerable answers
- Don't allow browsers to store passwords
- Do not share your passwords
Information Disclosure/Sensitive Data Exposure
- Social Media
- Pictures
- Giving information away
Trusting Untrusted Sources
- Untrusted Sources
- WiFi
- Downloading files from untrusted sources
- Clicking on links from unknown or unverified sources
- Review credit reports
- Review unknown uses of online accounts
- Subscribe to a credit monitoring service
- Freeze credit
Lack of Proper Encryption in Transit
- Do Not Ignore SSL Warnings
- Use Encryption
Lack of Proper Encryption at Rest
- Encrypt PII
- Don't store sensitive information unencrypted
Using Components with Known Vulnerabilities (Should configuration and patching be 2 separate?)
- Patch
- Configure application settings for security
- Do not configure devices to automatically connect to wifi access points
Running Unnecessary Software or Services
- Don't install unneeded software
- Remove software not in use
- Do not enable services you don't use
Poor Physical Security
- Encrypt devices and drives
- Do not leave mobile devices unattended
- Use an inactivity lockout
- Password protect all devices
Lack of Proper Protection for Personal Devices and Network
- Use Personal Firewalls
- Properly Secure Wireless Access Points
- Use Intrusion Detection Services
- Use anti-virus
- Learn to recognize threats?
