Comments (11)
We have requirement 2.1.3:
# | Description | L1 | L2 | L3 | CWE | NIST ยง |
---|---|---|---|---|---|---|
2.1.3 | [MODIFIED] Verify that passwords are not truncated. (C6) | โ | โ | โ | 521 | 5.1.1.2 |
Maybe we can make it more abstract, idea:
Verify that the application compares and hashes the password from the user as it was sent without doing any modification such as truncation or transforming to lowercase.
from asvs.
Nice, I've shortened it a bit:
Verify that the application verifies the user's password exactly as received from the user, without any modifications such as truncation or case transformation.
from asvs.
from asvs.
Never seen it in practice... but whatever the policy is, if an attacker figures it out (and it is not hard to do that), it makes guessing passwords so much easier.
I think it's worth a separate or to be mentioned in some requirement - it is easy to test, easy to (not) implement, and for that effort, it provides a good impact.
from asvs.
from asvs.
Wordsmithing it a little bit just to make it clear where we are sending it to:
Verify that the application compares and hashes the password from the user as it was sent to the back-end without doing any modification such as truncation or transforming to lowercase.
What do you think?
from asvs.
I analyzed my proposal and was able to verify 2 problems:
- it is not aligned with NIST, which allows to replacement multiple consecutive space characters with a single space character
- old-school applications add salt and pepper "manually" to the password and as it happens before hashing, one may interpret the requirement to disallow that
Quotes from NIST SP 800-63B
- To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length.
https://pages.nist.gov/800-63-3/sp800-63b.html#-5112-memorized-secret-verifiers - ... so it may be beneficial to remove repeated spaces in typed passwords prior to verification
https://pages.nist.gov/800-63-3/sp800-63b.html#a3-complexity
from asvs.
from asvs.
I don't understand why NIST has this exception for multiple spaces. Typing multiple spaces by accident does not seem common to me. Does anyone have more insight into why an exception is added for this particular situation? I think it's reasonable if the ASVS requires application to match as-is, and don't collapse multiple spaces.
I agree that this can be merged with 2.1.3, about truncating passwords.
old-school applications add salt and pepper "manually" to the password and as it happens before hashing, one may interpret the requirement to disallow that
I think this can be solved with a little bit better phrasing. It also depends on what you define as the "hash algorithm", whether that includes adding the salt or only concerns the MD5 function.
Perhaps we can leave it a bit more vague:
Verify that passwords are processed by the application exactly as received from the user, without any modifications such as truncation or case transformation.
Or we can define it more functionally and less technically. Only the exact password that the user configured should give access to the application.
Verify that the application grants access solely based on the exact password configured by the user without any alterations, such as trunaction or case transformation.
from asvs.
"granting access" goes already away from authentication topic.
One more proposal:
Verify that the application uses the password from the user for password verification exactly as received from the user, without any modifications such as truncation or case transformation.
from asvs.
I created PR #1814 , also removed CWE as it was not correct.
from asvs.
Related Issues (20)
- Most recent artifacts HOT 3
- Warnings on github actions HOT 3
- `install-unx.sh` intermittent failure
- 1.2.2 "User Account" is troubling HOT 3
- 1.2.5 HOT 1
- 2.2.11 HOT 1
- 2.3.1 seems weak HOT 1
- 13.4.2 seems too broad and not testable HOT 22
- 13.5.3 rate limiting should apply to all APIs HOT 8
- client should not send longer request headers than server can accept HOT 6
- new V5 section for architecture requirements HOT 2
- Requesting Clarifying Definition in the Business Logic Section Header HOT 3
- Something amiss in requirement description for v5.0-50.5.3 HOT 4
- lowercase vs uppercase grammar (original: 6.2.1 causes capitalization inconsistency) HOT 10
- 5.1.1 - terminology, GET and POST... HOT 14
- clarifying 5.1.3 HOT 9
- Should easily visible logout functionality be a requirement or a recomendation HOT 15
- Tracking supporters HOT 6
- V9 rework - 9.2.5 has insufficient value HOT 5
- 2.10.5 (v4.0.3-9.2.3) - belongs in authentication (needs improvement and scope check) HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.