[Owasp-leaders] https://www.owasp.org/index.php/Credential_stuffing

Michael Coates michael.coates at owasp.org
Tue Sep 20 17:46:17 UTC 2016


Brad,

Thanks for kickstarting this cheat sheet. My initial feedback is that we
should scrap 3.2 Defense Option 2: Multi-Step Login Process and 3.3 Defense
Option 3: IP blacklists. These defenses just don't work against this type
of attack. Even if they provide some defense against the most basic attacks
I feel it's misleading since it's trivial for an attacker to bypass these
defenses and real world attacks show that they regularly do.

Not meant as a bash on the overall cheat sheet. In fact I think I kicked
off this thread and am a big supporter of discussion here. But I think it's
good for us to avoid partial solutions that could give a false sense of
security.

I like the other defenses. I think we also can add a few others which are
"additional identify verification" and "anti automation.


--
Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
OWASP Global Board





On Tue, Sep 20, 2016 at 9:39 AM, Brad Causey <bradcausey at owasp.org> wrote:

> Great discussion so far.
>
> Would you folks mind taking a look over this and providing feedback?
>
> I intend to provide more detail on each subject, but first I figured we
> could agree on the primary defenses.
>
> https://www.owasp.org/index.php/Credential_Stuffing_Prevention_Cheat_Sheet
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160920/7b79b226/attachment.html>


More information about the OWASP-Leaders mailing list