[Owasp-leaders] https://www.owasp.org/index.php/Credential_stuffing

Brad Causey bradcausey at owasp.org
Tue Sep 20 17:56:41 UTC 2016


Sounds good Michael. Thanks for the feedback!

I think we could roll whatever value might be gained from those into the
MFA and Fingerprinting sections respectively.

What say you?

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
"Si vis pacem, para bellum"
--

On Tue, Sep 20, 2016 at 12:46 PM, Michael Coates <michael.coates at owasp.org>
wrote:

> Brad,
>
> Thanks for kickstarting this cheat sheet. My initial feedback is that we
> should scrap 3.2 Defense Option 2: Multi-Step Login Process and 3.3 Defense
> Option 3: IP blacklists. These defenses just don't work against this type
> of attack. Even if they provide some defense against the most basic attacks
> I feel it's misleading since it's trivial for an attacker to bypass these
> defenses and real world attacks show that they regularly do.
>
> Not meant as a bash on the overall cheat sheet. In fact I think I kicked
> off this thread and am a big supporter of discussion here. But I think it's
> good for us to avoid partial solutions that could give a false sense of
> security.
>
> I like the other defenses. I think we also can add a few others which are
> "additional identify verification" and "anti automation.
>
>
> --
> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
> OWASP Global Board
>
>
>
>
>
> On Tue, Sep 20, 2016 at 9:39 AM, Brad Causey <bradcausey at owasp.org> wrote:
>
>> Great discussion so far.
>>
>> Would you folks mind taking a look over this and providing feedback?
>>
>> I intend to provide more detail on each subject, but first I figured we
>> could agree on the primary defenses.
>>
>> https://www.owasp.org/index.php/Credential_Stuffing_Preventi
>> on_Cheat_Sheet
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160920/d57b2938/attachment.html>


More information about the OWASP-Leaders mailing list