[Global_industry_committee] [Owasp-leaders] Draft NIST Special Publication 800-118 Guide to Enterprise Password Management

David Campbell dcampbell at owasp.org
Wed May 20 17:27:33 EDT 2009


also, obviously, make sure the logout button destroys the cookie server side

DC


Eoin wrote:
> hi Colin, am reviewing the response,
>
> 3.1.2 Password Capturing : Transmission
>
> Regarding: "Web applications should guard against replay attacks by
> careful design of session management, the provision of a robust logout
> mechanism, inclusion of a log out link or button in every view and
> content anti-caching measures."
>
> My 10 cent:
> regarding replay attacks the fundamental control to prevent such
> attacks is privacy of the data  in transit. Saying careful session
> management does not really give one guidance? The addition of entropy,
> secret key, salt is also a good approach for transmission of passwords
> over a non encrypted tunnel. Message hashing (with salt) which include
> a nonce also helps prevent replay.
>
> 3.1.3 Password Capturing : User Knowledge and Behavior
> May be good to add "out of band" informational functionality. If an
> event occurs in an account the account owner is informed of the event
> via out-of-band means (mobile phone sms, email, snail mail) - this may
> only be applicable for enterprise apps,  but thats is where the money
> is :0) (This may be a runner since you mention out-of-band in 3.3.1)
>
> 3.2.1 Password Guessing and Cracking : Guessing
> Can we add something on reverse brute force (same password but cycle
> through user Id's)
>
> 3.4 Using Compromised Passwords
> "Least privilege" is the word I would use there.
>
>
>
>
> the inclusion of the logout button on every page which requires
> authentication is more accurate. 
>
>
>
>
>
> 2009/5/20 Colin Watson <colin.watson at owasp.org
> <mailto:colin.watson at owasp.org>>
>
>     Jeff
>
>     Thanks for the helpful tips on presenting our views, especially for
>     making the case why OWASP's input is important.... and hopefully
>     compelling.
>
>     Regards
>
>     Colin
>     _______________________________________________
>     Global_industry_committee mailing list
>     Global_industry_committee at lists.owasp.org
>     <mailto:Global_industry_committee at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/global_industry_committee
>
>
>
>
> -- 
> Eoin Keary CISSP CISA
> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
>
> Quis custodiet ipsos custodes
> ------------------------------------------------------------------------
>
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>   


More information about the Global_industry_committee mailing list