Difference between revisions of "Testing for Weak password policy (OWASP-AT-008)"

From OWASP
Jump to: navigation, search
(Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary == <br> ..here: we describe in "natural language" what we want to test. <br> == Description of the Issue == <br> ...her...")
 
Line 2: Line 2:
  
  
== Brief Summary ==
+
== Summary ==
<br>
+
 
..here: we describe in "natural language" what we want to test.
+
The most prevalent and most easily administered authentication mechanism is the humble password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password and qwerty.  
<br>
+
 
== Description of the Issue ==  
+
== Test objectives ==
<br>
+
 
...here: Short Description of the Issue: Topic and Explanation
+
Determine the resistance of the application's to brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords.
<br>
+
 
== Black Box testing and example ==
+
== How to test ==
'''Testing for Topic X vulnerabilities:''' <br>
+
 
...<br>
+
# What characters are permitted and forbidden for use within a password?
'''Result Expected:'''<br>
+
# How often can a user change their password?
...<br><br>
+
# When must a user change their password? After 90 days? After account lockout due to excessive logon attempts?
 +
# How often can a user reuse a password? Does the application store the user's previous 8 passwords?
 +
# How different must the next password be from the last password (or however many are stored by the application)?
 +
 
 +
=== Example ===
 +
 
 +
 
 +
 
 +
== Tools ==
 +
 
 
== References ==
 
== References ==
'''Whitepapers'''<br>
+
 
...<br>
+
 
'''Tools'''<br>
+
== Remediation ==
...<br>
+
 
 +
To mitigate the risk of easily guessed passwords facilitating unauthorised access there are two solutions: introduce additional authentication controls or introduce a password policy. The simplest and cheapest of these is the introduction of a password policy that ensures password length, complexity, reuse and aging.

Revision as of 10:07, 6 November 2013

This article is part of the new OWASP Testing Guide v4. 
At the moment the project is in the REVIEW phase.

Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Contents


Summary

The most prevalent and most easily administered authentication mechanism is the humble password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password and qwerty.

Test objectives

Determine the resistance of the application's to brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords.

How to test

  1. What characters are permitted and forbidden for use within a password?
  2. How often can a user change their password?
  3. When must a user change their password? After 90 days? After account lockout due to excessive logon attempts?
  4. How often can a user reuse a password? Does the application store the user's previous 8 passwords?
  5. How different must the next password be from the last password (or however many are stored by the application)?

Example

Tools

References

Remediation

To mitigate the risk of easily guessed passwords facilitating unauthorised access there are two solutions: introduce additional authentication controls or introduce a password policy. The simplest and cheapest of these is the introduction of a password policy that ensures password length, complexity, reuse and aging.