[Global_industry_committee] [Owasp-leaders] Draft NIST Special Publication 800-118 Guide to Enterprise Password Management

Eoin eoin.keary at owasp.org
Wed May 20 16:29:32 EDT 2009


hi Colin, am reviewing the response,
3.1.2 Password Capturing : Transmission

Regarding: "Web applications should guard against replay attacks by careful
design of session management, the provision of a robust logout mechanism,
inclusion of a log out link or button in every view and content anti-caching
measures."

My 10 cent:
regarding replay attacks the fundamental control to prevent such attacks is
privacy of the data  in transit. Saying careful session management does not
really give one guidance? The addition of entropy, secret key, salt is also
a good approach for transmission of passwords over a non encrypted tunnel.
Message hashing (with salt) which include a nonce also helps prevent replay.

3.1.3 Password Capturing : User Knowledge and Behavior
May be good to add "out of band" informational functionality. If an event
occurs in an account the account owner is informed of the event via
out-of-band means (mobile phone sms, email, snail mail) - this may only be
applicable for enterprise apps,  but thats is where the money is :0) (This
may be a runner since you mention out-of-band in 3.3.1)

3.2.1 Password Guessing and Cracking : Guessing
Can we add something on reverse brute force (same password but cycle through
user Id's)

3.4 Using Compromised Passwords
"Least privilege" is the word I would use there.




the inclusion of the logout button on every page which requires
authentication is more accurate.





2009/5/20 Colin Watson <colin.watson at owasp.org>

> Jeff
>
> Thanks for the helpful tips on presenting our views, especially for
> making the case why OWASP's input is important.... and hopefully
> compelling.
>
> Regards
>
> Colin
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>



-- 
Eoin Keary CISSP CISA
https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

Quis custodiet ipsos custodes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20090520/558308b1/attachment.html 


More information about the Global_industry_committee mailing list