[Owasp-leaders] https://www.owasp.org/index.php/Credential_stuffing

Brad Causey bradcausey at owasp.org
Tue Sep 20 17:58:15 UTC 2016


Our emails crossed. =)

Maybe we could word it differently, so each one of these doesn't appear to
be a comprehensive defense approach by itself?

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
"Si vis pacem, para bellum"
--

On Tue, Sep 20, 2016 at 12:56 PM, Dave Wichers <dave.wichers at owasp.org>
wrote:

> Michael,
>
> I'm not so sure we should drop basic defenses yet, since this problem is
> so new. I think we should be VERY clear, that we understand certain
> defenses can be bypassed when they can.
>
> For example, lets say that multi-step login caused 90% of the current
> Credential Stuffing attacks to go away, wouldn't that be worth it? We all
> understand this is an arms race, so it will keep getting harder and harder,
> but I don't think that relatively simple defenses that work today should be
> discarded. And if that's simply step 1 in your defense, and you plan to add
> additional layers of defense, then I don't think discarding step 1 is
> necessary/appropriate.
>
> -Dave
>
> On Tue, Sep 20, 2016 at 1:46 PM, Michael Coates <michael.coates at owasp.org>
> wrote:
>
>> Brad,
>>
>> Thanks for kickstarting this cheat sheet. My initial feedback is that we
>> should scrap 3.2 Defense Option 2: Multi-Step Login Process and 3.3 Defense
>> Option 3: IP blacklists. These defenses just don't work against this type
>> of attack. Even if they provide some defense against the most basic attacks
>> I feel it's misleading since it's trivial for an attacker to bypass these
>> defenses and real world attacks show that they regularly do.
>>
>> Not meant as a bash on the overall cheat sheet. In fact I think I kicked
>> off this thread and am a big supporter of discussion here. But I think it's
>> good for us to avoid partial solutions that could give a false sense of
>> security.
>>
>> I like the other defenses. I think we also can add a few others which are
>> "additional identify verification" and "anti automation.
>>
>>
>> --
>> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
>> OWASP Global Board
>>
>>
>>
>>
>>
>> On Tue, Sep 20, 2016 at 9:39 AM, Brad Causey <bradcausey at owasp.org>
>> wrote:
>>
>>> Great discussion so far.
>>>
>>> Would you folks mind taking a look over this and providing feedback?
>>>
>>> I intend to provide more detail on each subject, but first I figured we
>>> could agree on the primary defenses.
>>>
>>> https://www.owasp.org/index.php/Credential_Stuffing_Preventi
>>> on_Cheat_Sheet
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160920/60324af8/attachment.html>


More information about the OWASP-Leaders mailing list