This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Category:WASS User Managment
From OWASP
Revision as of 20:08, 22 May 2009 by Deleted user (talk | contribs)
From time-to-time, application users will need to change their password or reset a forgotten password. As noted in other requirements, login credentials are often the only access control mechanism a web application provides. Therefore the application should provide secure means to perform password resets and allowing a user reset a forgotten password.
- Change password
- Immediately before changing a password, users must be required to enter their old (existing) password
- New password must meet the existing requirments of this standard.
- The password change should be performed over a secure connection
- Forgotten passwords
- Implement a âsecretâ question(s)/answer(s) system to manage forgotten passwords if business requirements permit.
- Old passwords should never be retrievable.
- When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a âpredefinedâ or âlimitedâ choice, such as âwhat is your favorite colorâ or âwhat was your first carâ
- After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt.
- Require the user to change their password should occur immediately after correctly answering the secret question(s)
- A notification of password change or forgotten password request should be sent to the user (via email or other communication channels such as SMS).
- Implement a âsecretâ question(s)/answer(s) system to manage forgotten passwords if business requirements permit.
- Passwords should never be emailed or displayed.
- All forms that gather user credentials should have auto-complete turned off and must not be pre-populated with data.
This category currently contains no pages or media.