This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Industry:Draft NIST SP 800-118

From OWASP
Jump to: navigation, search


Return to Global Industry Committee

ACTIVITY IDENTIFICATION
Activity Name Draft NIST SP 800-118
Short Description Provide response to "Draft NIST Special Publication 800-118 Guide to Enterprise Password Management"
Related Projects None
Email Contacts & Roles Primary
Colin Watson 		Secondary
TBC 		Mailing list
Please use the Industry Committee list
ACTIVITY SPECIFICS
Objectives
  • Review Draft SP - in particular issues relating to web application security
  • Where appropriate, draft a response for submission
  • Submit the response as an official OWASP statement
Deadlines
  • 18 May 2009 - Produce initial draft response
  • 18 May 2009 - Circulate to OWASP lists for comment
  • 22 May 2009 - Deadline for comments from OWASP lists
  • 22 May 2009 - Complete final draft response
  • 25 May 2009 - Submit for approval by Global Industry Committee
  • 29 May 2009 - Submit to NIST
Status
  • 1st Draft
Resources Call for responses, 21 Apr 2009

Full draft text

Submit comments to [email protected] with "Comments SP 800-118" in the subject line.


Submission Response

Latest first

Final version

TBC


Draft Text version 2

TBC


Draft Text version 1

Comments

Add comments, additions, changes on draft 1 here please


3.1.1 Password Capturing : Storage

Explanation Use of the "autocomplete" attribute is recommended for HTML form elements containing sensitive data. "Remember me" functionality on public computers, where a user can simply return to their personalized account can be dangerous. Reference 1: Authentication - Browser Remembers Passwords, A Guide to Building Secure Web Applications and Web Services, v2.0.1, OWASP http://www.owasp.org/index.php/Category:OWASP_Guide_Project Reference 2: Authentication - Remember Me, A Guide to Building Secure Web Applications and Web Services, v2.0.1, OWASP http://www.owasp.org/index.php/Category:OWASP_Guide_Project

Suggested changes Add "For a web application, the 'autocomplete' attribute should be implemented with the value 'off' in rendered HTML form fields, or whole HTML forms, where sensitive data such as passwords are entered, but this should not be relied upon. Additionally, avoid the use of 'remember me' functionality on public systems, especially where more sensitive data is accessed or the application is considered to be a higher risk. If 'remember me' is implemented, do not turn it on by default, advise users of the risks before they opt in and never use a predictable 'pre-authenticated' token."

3.1.2 Password Capturing : Transmission

Explanation Web Services must not send passwords in plain text. Replay attacks are a significant type of vulnerability found in web applications. Reference 1: Web Services, A Guide to Building Secure Web Applications and Web Services, v2.0.1, OWASP http://www.owasp.org/index.php/Category:OWASP_Guide_Project Reference 2: Session Management - Session Token Replay, A Guide to Building Secure Web Applications and Web Services, v2.0.1, OWASP http://www.owasp.org/index.php/Category:OWASP_Guide_Project

Suggested changes In the bulleted list, change the end of the 3rd item from "Examples are switching from telnet to Secure Shell (SSH) and from HTTP to HTTP Secure (HTTPS)." to "Examples are using WS-Security (Web Services Security), switching from telnet to Secure Shell (SSH) and from HTTP to HTTP Secure (HTTPS).". Add "Web applications should guard against replay attacks by careful design of session management, the provision of a robust logout mechanism, inclusion of a log out link or button in every view and content anti-caching measures."

3.1.3 Password Capturing : User Knowledge and Behavior

Explanation Sharing of passwords and use of passwords revealed through social engineering are a particular threat to web applications. Reference 1: Phishing, A Guide to Building Secure Web Applications and Web Services, v2.0.1, OWASP http://www.owasp.org/index.php/Category:OWASP_Guide_Project Reference 2: Session Management - Session Token Replay, A Guide to Building Secure Web Applications and Web Services, v2.0.1, OWASP http://www.owasp.org/index.php/Category:OWASP_Guide_Project

Suggested change Add "For web applications, use session fixation controls to strongly tie a single browser to a single session and prevent multiple sessions by the same user. Users should be provided with information on previous successful and unsuccessful login attempts and activities undertaken to help them identify potential mis-use of their own account."

3.2.1 Password Guessing and Cracking : Guessing

Explanation Web applications can be particularly vulnerable to password guessing, where the attacker could have continual access to the target system. Reference 1: Authentication - Change Password, A Guide to Building Secure Web Applications and Web Services, v2.0.1, OWASP http://www.owasp.org/index.php/Category:OWASP_Guide_Project Reference 2: Authentication - Brute Force, A Guide to Building Secure Web Applications and Web Services, v2.0.1, OWASP http://www.owasp.org/index.php/Category:OWASP_Guide_Project

Suggested change In the first bullet point, add "On public systems such as web applications, a lower threshold of 5 or 10 failed attempts would be more common." Add "For web applications, the system also needs to guard against distributed guessing attacks, where different user accounts may be targeted and/or different sessions/hosts are used to launch the attack simultaneously." Add "Password change mechanisms should require entry of the old password and enforce protection against guessing attacks in the same was as the login."

3.3.1 Password Replacing : Forgotten Password Recovery and Resets

Explanation Password reset mechanisms vary in complexity, and are often implemented less securely than login mechanisms. Reference: Authentication - Automated Password Resets, A Guide to Building Secure Web Applications and Web Services, v2.0.1, OWASP http://www.owasp.org/index.php/Category:OWASP_Guide_Project

Suggested change Add "For publicly accessible systems such as web applications, password recovery should not be implemented. Instead password reset tied with some out-of-band communication should be used."

3.4 Using Compromised Passwords

Explanation If we accept that some passwords will be compromised, it is important that accounts have the minimum privileges necessary. Thus, a read-only user shouldn't be able to create, update and delete data for example, or undertake administrative functions. Reference: Secure Coding Principles - Security Principles - Principle of Least Privilege, A Guide to Building Secure Web Applications and Web Services, v2.0.1, OWASP http://www.owasp.org/index.php/Category:OWASP_Guide_Project

Suggested change Add "The account accessed, using any password, should have the minimum permissions to undertake the required functionality."

About OWASP

This response is submitted on behalf of the Open Web Application Security Project (OWASP) http://www.owasp.org/. OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a U.S. recognized 501(c)(3) not-for-profit charitable organization, that ensures the ongoing availability and support for our work at OWASP.

Further information:


Return to Global Industry Committee

Retrieved from "https://wiki.owasp.org/index.php?title=Industry:Draft_NIST_SP_800-118&oldid=60996"