Cornucopia - Ecommerce Website - AT 3

Suit: Authentication

Card/Value: 3

Description:
Muhammad can obtain a user's password or other secrets such as security questions, by observation during entry, or from a local cache, or in transit, or by reading it from some unprotected location, or because it is widely known, or because it never expires, or because the user cannot change her own password.

Technical Note:
Passwords and secrets need protection. Common attacks include:
 * Stealing a password/secret in transit (e.g. in an email message, over an unencrypted HTTP connection)
 * Observing a password/secret being entered on screen
 * Weak password recovery (e.g. reliance only on 'security' questions)
 * Use of weak 'remember me' functionality
 * Re-use of passwords making them guessable
 * Passwords/secrets recorded in logs
 * Passwords/secrets exposed in form data/URLs
 * Client-side caching or storage of passwords/secrets
 * Hard-coding of passwords/secrets into code
 * Passwords never changed by user

References:
« Previous Card | Authentication | Next Card »