This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Category:WASS User Managment

Revision as of 18:31, 27 May 2009 by MediaWiki spam cleanup (talk | contribs) (Reverting to last version not containing links to

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Deploy mechanisms to securely perform tasks related to user management.

From time-to-time, application users will need to change their password or reset a forgotten password. As noted in other requirements, login credentials are often the only access control mechanism a web application provides. Therefore the application should provide secure means to perform password resets and allowing a user reset a forgotten password.

  1. Change password
    1. Immediately before changing a password, users must be required to enter their old (existing) password
    2. New password must meet the existing requirments of this standard.
  2. The password change should be performed over a secure connection
  3. Forgotten passwords
    1. Implement a “secret” question(s)/answer(s) system to manage forgotten passwords if business requirements permit.
      1. Old passwords should never be retrievable.
      2. When specifying their "secret" question, the user should have a choice of what question they are asked, and/or the question should not have a “predefined” or “limited” choice, such as “what is your favorite color” or “what was your first car”
      3. After a number of incorrect login attempts at answering the secret question(s) the account should be locked as it would for an incorrect username/password attempt.
      4. Require the user to change their password should occur immediately after correctly answering the secret question(s)
      5. A notification of password change or forgotten password request should be sent to the user (via email or other communication channels such as SMS).
  4. Passwords should never be emailed or displayed.
  5. All forms that gather user credentials should have auto-complete turned off and must not be pre-populated with data.

This category currently contains no pages or media.