[Global_industry_committee] [Owasp-leaders] Draft NIST Special Publication 800-118 Guide to Enterprise Password Management
eoin.keary at owasp.org
Wed May 20 16:29:32 EDT 2009
hi Colin, am reviewing the response,
3.1.2 Password Capturing : Transmission
Regarding: "Web applications should guard against replay attacks by careful
design of session management, the provision of a robust logout mechanism,
inclusion of a log out link or button in every view and content anti-caching
My 10 cent:
regarding replay attacks the fundamental control to prevent such attacks is
privacy of the data in transit. Saying careful session management does not
really give one guidance? The addition of entropy, secret key, salt is also
a good approach for transmission of passwords over a non encrypted tunnel.
Message hashing (with salt) which include a nonce also helps prevent replay.
3.1.3 Password Capturing : User Knowledge and Behavior
May be good to add "out of band" informational functionality. If an event
occurs in an account the account owner is informed of the event via
out-of-band means (mobile phone sms, email, snail mail) - this may only be
applicable for enterprise apps, but thats is where the money is :0) (This
may be a runner since you mention out-of-band in 3.3.1)
3.2.1 Password Guessing and Cracking : Guessing
Can we add something on reverse brute force (same password but cycle through
3.4 Using Compromised Passwords
"Least privilege" is the word I would use there.
the inclusion of the logout button on every page which requires
authentication is more accurate.
2009/5/20 Colin Watson <colin.watson at owasp.org>
> Thanks for the helpful tips on presenting our views, especially for
> making the case why OWASP's input is important.... and hopefully
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
Eoin Keary CISSP CISA
OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)
Quis custodiet ipsos custodes
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Global_industry_committee