[Owasp-leaders] https://www.owasp.org/index.php/Credential_stuffing

Dave Wichers dave.wichers at owasp.org
Tue Sep 20 17:56:22 UTC 2016


Michael,

I'm not so sure we should drop basic defenses yet, since this problem is so
new. I think we should be VERY clear, that we understand certain defenses
can be bypassed when they can.

For example, lets say that multi-step login caused 90% of the current
Credential Stuffing attacks to go away, wouldn't that be worth it? We all
understand this is an arms race, so it will keep getting harder and harder,
but I don't think that relatively simple defenses that work today should be
discarded. And if that's simply step 1 in your defense, and you plan to add
additional layers of defense, then I don't think discarding step 1 is
necessary/appropriate.

-Dave

On Tue, Sep 20, 2016 at 1:46 PM, Michael Coates <michael.coates at owasp.org>
wrote:

> Brad,
>
> Thanks for kickstarting this cheat sheet. My initial feedback is that we
> should scrap 3.2 Defense Option 2: Multi-Step Login Process and 3.3 Defense
> Option 3: IP blacklists. These defenses just don't work against this type
> of attack. Even if they provide some defense against the most basic attacks
> I feel it's misleading since it's trivial for an attacker to bypass these
> defenses and real world attacks show that they regularly do.
>
> Not meant as a bash on the overall cheat sheet. In fact I think I kicked
> off this thread and am a big supporter of discussion here. But I think it's
> good for us to avoid partial solutions that could give a false sense of
> security.
>
> I like the other defenses. I think we also can add a few others which are
> "additional identify verification" and "anti automation.
>
>
> --
> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
> OWASP Global Board
>
>
>
>
>
> On Tue, Sep 20, 2016 at 9:39 AM, Brad Causey <bradcausey at owasp.org> wrote:
>
>> Great discussion so far.
>>
>> Would you folks mind taking a look over this and providing feedback?
>>
>> I intend to provide more detail on each subject, but first I figured we
>> could agree on the primary defenses.
>>
>> https://www.owasp.org/index.php/Credential_Stuffing_Preventi
>> on_Cheat_Sheet
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160920/942162b0/attachment-0001.html>


More information about the OWASP-Leaders mailing list