This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Weak security question/answer (OTG-AUTHN-008)"

From OWASP
Jump to: navigation, search
(Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary == == Description of the Issue == == Black Box testing and example == == Gray Box testing and example == == Referen...")
 
Line 1: Line 1:
 
{{Template:OWASP Testing Guide v4}}
 
{{Template:OWASP Testing Guide v4}}
 +
  
 
== Brief Summary ==
 
== Brief Summary ==
 
+
<br>
 +
Often called "secret" questions and answers, security questions and answers are often used to recover forgotten passwords, or as extra security on top of password.
 +
They are typically generated upon account creation, and require the user to select from some pre-generated questions and supply an appropriate answer, or allow the user to generate their own question and answer pairs. Both methods are prone to insecurities.
 +
<br>
 
== Description of the Issue ==  
 
== Description of the Issue ==  
 
+
<br>
 +
...here: Short Description of the Issue: Topic and Explanation
 +
<br>
 
== Black Box testing and example ==
 
== Black Box testing and example ==
 
+
'''Testing for Topic X vulnerabilities:''' <br>
== Gray Box testing and example ==
+
...<br>
 
+
'''Result Expected:'''<br>
 +
...<br><br>
 
== References ==
 
== References ==
 +
'''Whitepapers'''<br>
 +
...<br>
 +
'''Tools'''<br>
 +
...<br>

Revision as of 05:06, 14 August 2013

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


Brief Summary


Often called "secret" questions and answers, security questions and answers are often used to recover forgotten passwords, or as extra security on top of password. They are typically generated upon account creation, and require the user to select from some pre-generated questions and supply an appropriate answer, or allow the user to generate their own question and answer pairs. Both methods are prone to insecurities.

Description of the Issue


...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...