This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Codereview-Authentication"
| Line 8: | Line 8: | ||
This could be due to flawed implementation or broken business logic: | This could be due to flawed implementation or broken business logic: | ||
Authentication is a key line of defence in protecting non-public data, sensitive functionality | Authentication is a key line of defence in protecting non-public data, sensitive functionality | ||
| + | |||
| + | ===Weak Passwords and password functionality=== | ||
| + | |||
| + | Password strength should be enforced upon a user setting/selecting ones password. Passwords should be complex in composition. | ||
| + | Such checks should be done on the backend/server side of the application upon an attempt to submitt a new password. | ||
| + | |||
| + | ====Bad Example==== | ||
| + | Simply checking that a password is not NULL is not sufficient: | ||
| + | |||
| + | String password = request.getParameter("Password"); | ||
| + | if (password == Null) | ||
| + | {throw InvalidPasswordException() | ||
| + | } | ||
| + | |||
| + | ====Good Example==== | ||
| + | |||
| + | Passwords should be checked for the following composition or a variance of such | ||
| + | |||
| + | at least: 1 Upper character (A-Z) | ||
| + | at least: 1 Lower character (a-z) | ||
| + | at least: 1 digit (0-9) | ||
| + | at least one special character (!"£$%&...) | ||
| + | |||
| + | a defined minimum length (8 chars) | ||
| + | a defined maximum length (as with all external input) | ||
| + | |||
| + | no contigous characters (123abcd) | ||
| + | not more than 2 identical characters in a row (1111) | ||
| + | ===Unlogical business Logic=== | ||
| + | |||
| + | ===Data validation issues=== | ||
Revision as of 14:37, 1 July 2008
OWASP Code Review Guide Table of Contents
Introduction
The following discusses aspects of source code relating to weak authentication functionality. This could be due to flawed implementation or broken business logic: Authentication is a key line of defence in protecting non-public data, sensitive functionality
Weak Passwords and password functionality
Password strength should be enforced upon a user setting/selecting ones password. Passwords should be complex in composition. Such checks should be done on the backend/server side of the application upon an attempt to submitt a new password.
Bad Example
Simply checking that a password is not NULL is not sufficient:
String password = request.getParameter("Password");
if (password == Null)
{throw InvalidPasswordException()
}
Good Example
Passwords should be checked for the following composition or a variance of such
at least: 1 Upper character (A-Z) at least: 1 Lower character (a-z) at least: 1 digit (0-9) at least one special character (!"£$%&...)
a defined minimum length (8 chars) a defined maximum length (as with all external input) no contigous characters (123abcd) not more than 2 identical characters in a row (1111)
