This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Category:WASS User Managment"
From OWASP
Deleted user (talk | contribs) |
(Reverting to last version not containing links to www.textmoncnaa.com) |
||
Line 1: | Line 1: | ||
− | |||
== Deploy mechanisms to securely perform tasks related to user management. == | == Deploy mechanisms to securely perform tasks related to user management. == | ||
Line 9: | Line 8: | ||
#The password change should be performed over a secure connection | #The password change should be performed over a secure connection | ||
#Forgotten passwords | #Forgotten passwords | ||
− | ##Implement a | + | ##Implement a “secret” question(s)/answer(s) system to manage forgotten passwords if business requirements permit. |
###Old passwords should never be retrievable. | ###Old passwords should never be retrievable. | ||
− | ###When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a | + | ###When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a “predefined” or “limited” choice, such as “what is your favorite color” or “what was your first car” |
###After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt. | ###After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt. | ||
###Require the user to change their password should occur immediately after correctly answering the secret question(s) | ###Require the user to change their password should occur immediately after correctly answering the secret question(s) |
Latest revision as of 18:31, 27 May 2009
From time-to-time, application users will need to change their password or reset a forgotten password. As noted in other requirements, login credentials are often the only access control mechanism a web application provides. Therefore the application should provide secure means to perform password resets and allowing a user reset a forgotten password.
- Change password
- Immediately before changing a password, users must be required to enter their old (existing) password
- New password must meet the existing requirments of this standard.
- The password change should be performed over a secure connection
- Forgotten passwords
- Implement a “secret” question(s)/answer(s) system to manage forgotten passwords if business requirements permit.
- Old passwords should never be retrievable.
- When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a “predefined” or “limited” choice, such as “what is your favorite color” or “what was your first car”
- After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt.
- Require the user to change their password should occur immediately after correctly answering the secret question(s)
- A notification of password change or forgotten password request should be sent to the user (via email or other communication channels such as SMS).
- Implement a “secret” question(s)/answer(s) system to manage forgotten passwords if business requirements permit.
- Passwords should never be emailed or displayed.
- All forms that gather user credentials should have auto-complete turned off and must not be pre-populated with data.
This category currently contains no pages or media.