Comments (2)
elarlang
commented on July 21, 2024
Seems, that CWE is outdated on the topic.
A lot of authentication and session management requirements in ASVS are based on NIST research, including password requirements.
The table contains also NIST column and refers to 5.1.1.2.
| # | Description | L1 | L2 | L3 | CWE | NIST ยง |
|---|---|---|---|---|---|---|
| 2.1.9 | Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. (C6) | โ | โ | โ | 521 | 5.1.1.2 |
... and there is written:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
For correction, maybe we need to get rid of the CWE value from the requirement. Title and short description are kind of valid, but section "Phase: Architecture and Design" is in conflict with NIST research.
from asvs.
jmanico
commented on July 21, 2024
No, this requirement was removed in the recent NIST 800-63b standard. They added things like blocking common passwords and stopping credential, stuffing, and other controls that are more effective.
from asvs.
Related Issues (20)
- Add Specific ASVS Item Addressing User Enumeration Vulnerabilities HOT 31
- Consideration for Right-To-Left-Override (RTLO) related vulnerabilities HOT 8
- Is the new 14.2.7 clear enough? HOT 3
- discussion/proposal: documentation - how application need to behave if some resource is not available HOT 13
- ASVS 5-V7 Error Logging HOT 1
- Consideration of Appropriate Cryptoperiods as per NIST Guidelines HOT 7
- Consider Adding Checks for Privacy Preserving Schemas in ASVS HOT 17
- Proposal: Add Field-Level Encryption Standard for Sensitive Data in ASVS HOT 8
- Consider Adding Feature-Policy Header Verification to ASVS HOT 12
- Use a story tree to make the requirements more accessible to non-techies. HOT 7
- Utilizing Shamir's Secret Sharing Algorithm for Secure Key Vault Access HOT 11
- proposal: new requirement - no extra logs than allowed in inventory HOT 4
- Implement Rate Limiting to Prevent Mail Bomb Attacks HOT 15
- 2.2.1 seems too busy for a single requirement HOT 5
- Rename 12.2 "File Integrity" to "File Integrity and Content" HOT 8
- proposal/discussion: validation rules for files inside archive if the application unpack it or has business logic limit for other files HOT 2
- 2.1.2 Verify that passwords of at least 64 characters are permitted HOT 18
- 2.4.1 should be required for L1 HOT 3
- proposal: requirement for having reasonable timeouts for (external) services HOT 18
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.