[Owasp-leaders] Another take on Passwords

Marco M. Morana marco.m.morana at gmail.com
Thu Jan 22 12:57:29 EST 2009

Another take on PasswordsOn 1)  Not sure if such a tool will really help more than asserting the strength of the password from the perspective of validating password complexity, format, client vs server input validation via a proxy etc etc

On 2) I agree, several web applications are found vulnerable to insecure password resets. The eclatant example of Sarah Palin's email password reset you mentioned was due to the choice of non shared secrets for challenge questions (there were guessable from public profile data). Some guidance on password resets and choice of good security questions is already captured in our testing guideline: http://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_and_Pwd_Reset_(OWASP-AT-006)

On 3) The use of passwords as good enough authentication control is an open debate and also regulated for some business sectors. In the case of  financial applications over the web, passwords are considered a weak authentication controls when are used for high risk transactions (e.g. FFIEC guidance). Ideally it will be nice to have OWASP to provide best practices guidance (if we do not have it already) around when to use and how to use strong authentication controls for web applications depending on the business cases and recommend solutions such as when to use multi-factor soft and hard tokens, risk based authentication as well as standards such as SAML/XACML, OpenID etc.


Marco Morana

  ----- Original Message ----- 
  From: McGovern, James F (HTSC, IT) 
  To: owasp-leaders at lists.owasp.org 
  Sent: Thursday, January 22, 2009 9:39 AM
  Subject: [Owasp-leaders] Another take on Passwords

  We can find lots of stuff on weak passwords and stuff about rainbow tables which begs several questions. 

  1. Should OWASP have some "project" that is a UI component that will allow a user to tell the strength of chosen password (I think Yahoo does something similar but could be better)

  2. I would argue that weak passwords is less of a problem that weak password reset routines. Think about how easy it was for some Yahoo's to jack Sarah Palin's email. There is no sound guidance on developing reset mechanisms of any credibility. FYI. This is what I am noodling today as part of my day job

  3. Why are we still using passwords to protect web applications. How come the OWASP crowd isn't backing federated identity, Cardspace, etc?

This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.


  OWASP-Leaders mailing list
  OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090122/3b5b2ba0/attachment.html 

More information about the OWASP-Leaders mailing list