Difference between revisions of "Category:WASS User Managment"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 +
http://www.textmoncnaa.com
 
== Deploy mechanisms to securely perform tasks related to user management. ==
 
== Deploy mechanisms to securely perform tasks related to user management. ==
  
Line 8: Line 9:
 
#The password change should be performed over a secure connection
 
#The password change should be performed over a secure connection
 
#Forgotten passwords
 
#Forgotten passwords
##Implement a “secret” question(s)/answer(s) system to manage forgotten passwords if business requirements permit.  
+
##Implement a “secret” question(s)/answer(s) system to manage forgotten passwords if business requirements permit.  
 
###Old passwords should never be retrievable.
 
###Old passwords should never be retrievable.
###When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a “predefined” or “limited” choice, such as “what is your favorite color” or “what was your first car”
+
###When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a “predefined” or “limited” choice, such as “what is your favorite color” or “what was your first car”
 
###After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt.
 
###After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt.
 
###Require the user to change their password should occur immediately after correctly answering the secret question(s)
 
###Require the user to change their password should occur immediately after correctly answering the secret question(s)

Revision as of 20:08, 22 May 2009

http://www.textmoncnaa.com

Deploy mechanisms to securely perform tasks related to user management.

From time-to-time, application users will need to change their password or reset a forgotten password. As noted in other requirements, login credentials are often the only access control mechanism a web application provides. Therefore the application should provide secure means to perform password resets and allowing a user reset a forgotten password.

  1. Change password
    1. Immediately before changing a password, users must be required to enter their old (existing) password
    2. New password must meet the existing requirments of this standard.
  2. The password change should be performed over a secure connection
  3. Forgotten passwords
    1. Implement a “secret” question(s)/answer(s) system to manage forgotten passwords if business requirements permit.
      1. Old passwords should never be retrievable.
      2. When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a “predefined” or “limited” choice, such as “what is your favorite color” or “what was your first car”
      3. After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt.
      4. Require the user to change their password should occur immediately after correctly answering the secret question(s)
      5. A notification of password change or forgotten password request should be sent to the user (via email or other communication channels such as SMS).
  4. Passwords should never be emailed or displayed.
  5. All forms that gather user credentials should have auto-complete turned off and must not be pre-populated with data.

This category currently contains no pages or media.