|
|
(170 intermediate revisions by 25 users not shown) |
Line 1: |
Line 1: |
− | = Introduction = | + | __NOTOC__ |
| + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | |
− | '''Authentication''' is the process of verification that an individual or an entity is who it claims to be.
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
− | Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.
| |
| | | |
− | '''Session Management''' is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsiquent requests throughout a transaction.
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html Authentication Cheat Sheet] to see the latest version of the cheat sheet. |
− | Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when mtransmitting and receiving requests.
| |
− | Sessions should be unique per user and computationally very difficult to predict.
| |
− | | |
− | For more information on Authentication, please see the OWASP [[Guide_to_Authentication]] page.
| |
− | | |
− | = Authentication General Guidelines =
| |
− |
| |
− | == Implement Proper Password Strength Policy ==
| |
− | | |
− | A key concern when using passwords for authentication is password strength. A "strong" password policy makes it difficult or even improbable for one to guess the password either by using manual or automated means. The following characteristics define strong a strong password:
| |
− | | |
− | 1.Password Length
| |
− | | |
− | The longer the password the more combinations possible combinations of characters exist and is hence more difficult to guess.
| |
− | | |
− | <br>
| |
− | | |
− | '''Important applications''': Minimum of 6 characters in length.
| |
− | | |
− | '''Critical applications''': Minimum of 8 characters in length. (consider 2 factor authentication)
| |
− | | |
− | '''Highly critical applications''': Consider 2 factor authentication
| |
− | | |
− | <br>
| |
− | | |
− | 2. Password complexity
| |
− | | |
− | <br>
| |
− | | |
− | == Implement Secure Password Recovery Mechanism ==
| |
− | == Utilize Multi-Factor Authentication ==
| |
− | == Transmit Passwords Only Over TLS ==
| |
− | == Implement Account Lockout ==
| |
− |
| |
− | = Session Management General Guidelines =
| |
− |
| |
− | == Transmit Session ID's Only Over TLS ==
| |
− | == Ensure Session ID's are Cryptographically Strong and Random ==
| |
− | == Implement Idle And Absolute Timeout ==
| |
− | == Caching & Privacy ==
| |
− | == Cookie Security ==
| |
− | | |
− | {{Cheatsheet_Navigation}}
| |
− | | |
− | = References =
| |
− | | |
− | = Authors and Primary Editors =
| |
− | | |
− | Eoin Keary eoinkeary[at]owasp.org
| |
− | | |
− | [[Category:How_To]] [[Category:Cheatsheets]] [[Category:OWASP_Document]] [[Category:OWASP_Top_Ten_Project]]
| |