Passwords and secrets need protection. Common attacks include:
Stealing a password/secret in transit (e.g. in an email message, over an unencrypted HTTP connection) Observing a password/secret being entered on screen Weak password recovery (e.g. reliance only on 'security' questions) Use of weak 'remember me' functionality Re-use of passwords making them guessable Passwords/secrets recorded in logs Passwords/secrets exposed in form data/URLs Client-side caching or storage of passwords/secrets Hard-coding of passwords/secrets into code Passwords never changed by user
Muhammad can obtain a user's password or other secrets such as security questions, by observation during entry, or from a local cache, or from memory, or in transit, or by reading it from some unprotected location, or because it is widely known, or because it never expires, or because the user cannot change her own password
Owasp ASVS (4.0): 2.5.2 ,2.5.3
Owasp SCP: 36,37,40,43,48,51,119,139,140,146
Owasp Appsensor:
Safecode: 28
ASVS V2.5 - Credential Recovery Requirements
Loading comments 0%