This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Codereview-Authentication
Introduction
The following discusses aspects of source code relating to weak authentication functionality. This could be due to flawed implementation or broken business logic: Authentication is a key line of defence in protecting non-public data, sensitive functionality
Weak Passwords and password functionality
Password strength should be enforced upon a user setting/selecting ones password. Passwords should be complex in composition. Such checks should be done on the backend/server side of the application upon an attempt to submitt a new password.
Bad Example
Simply checking that a password is not NULL is not sufficient:
String password = request.getParameter("Password"); if (password == Null) {throw InvalidPasswordException() }
Good Example
Passwords should be checked for the following composition or a variance of such
at least: 1 Upper character (A-Z) at least: 1 Lower character (a-z) at least: 1 digit (0-9) at least one special character (!"£$%&...)
a defined minimum length (8 chars) a defined maximum length (as with all external input) no contigous characters (123abcd) not more than 2 identical characters in a row (1111)