OWASP Annotated Application Security Verification Standard
latest

Browse by chapter:

  • v1 Architecture, design and threat modelling
  • v2 Authentication verification requirements
    • 2.1 Principle of complete mediation
    • 2.2 Password fields
    • 2.4 Server side enforcement
    • 2.6 Fails securely
    • 2.7 Allows for strong passwords
    • 2.8 All account identity authentication functions are secure
    • 2.9 All credential changes are secure
    • 2.12 All authentication decisions are logged
    • 2.13 Account passwords are salted properly
    • 2.16 Strongly encrypted transport
    • 2.17 No clear text passwords
    • 2.18 No username enumeration
    • 2.19 No default passwords
    • 2.20 Protects against brute force attacks
    • 2.21 External service credentials are encrypted and protected
    • 2.22 Password recovery is well implemented
    • 2.23 Password recovery can not be used to lock out users
    • 2.24 No “secret” questions
    • 2.25 Supports configuration to disallow previous passwords
    • 2.26 Sensitive operations are sufficiently protected
    • 2.27 Block common or weak passwords / passphrases
    • 2.28 Authentication success or failure should take equal time
    • 2.29 Secrets are not included in the source code
    • 2.30 Use a proven secure authentication mechanism
    • 2.31 Protects against username & password disclosure
    • 2.32 Admin is not accessible for untrusted parties
  • v3 Session management verification requirements
  • v4 Access control verification requirements
  • v5 Malicious input handling verification requirements
  • v6 Output encoding / escaping
  • v7 Cryptography at rest verification requirements
  • v8 Error handling and logging verification requirements
  • v9 Data protection verification requirements
  • v10 Communications security verification requirements
  • v11 HTTP security configuration verification requirements
  • v12 Security configuration verification requirements
  • v13 Malicious controls verification requirements
  • v14 Internal security verification requirements
  • v15 Business logic verification requirements
  • v16 Files and resources verification requirements
  • v17 Mobile verification requirements
  • v18 Web services verification requirements
  • v19 Configuration

Browse by level:

  • Level 1: Opportunistic
  • Level 2: Standard
  • Level 3: Advanced
OWASP Annotated Application Security Verification Standard
  • Docs »
  • v2 Authentication verification requirements
  • Edit on GitHub

v2 Authentication verification requirementsΒΆ

  • 2.1 Principle of complete mediation
  • 2.2 Password fields
  • 2.4 Server side enforcement
  • 2.6 Fails securely
  • 2.7 Allows for strong passwords
  • 2.8 All account identity authentication functions are secure
  • 2.9 All credential changes are secure
  • 2.12 All authentication decisions are logged
  • 2.13 Account passwords are salted properly
  • 2.16 Strongly encrypted transport
  • 2.17 No clear text passwords
  • 2.18 No username enumeration
  • 2.19 No default passwords
  • 2.20 Protects against brute force attacks
  • 2.21 External service credentials are encrypted and protected
  • 2.22 Password recovery is well implemented
  • 2.23 Password recovery can not be used to lock out users
  • 2.24 No “secret” questions
  • 2.25 Supports configuration to disallow previous passwords
  • 2.26 Sensitive operations are sufficiently protected
  • 2.27 Block common or weak passwords / passphrases
  • 2.28 Authentication success or failure should take equal time
  • 2.29 Secrets are not included in the source code
  • 2.30 Use a proven secure authentication mechanism
  • 2.31 Protects against username & password disclosure
  • 2.32 Admin is not accessible for untrusted parties
Next Previous

© Copyright 2015, Boy Baukema. Revision 471fcb0a.

Built with Sphinx using a theme provided by Read the Docs.
Read the Docs v: latest
Versions
latest
Downloads
pdf
htmlzip
epub
On Read the Docs
Project Home
Builds

Free document hosting provided by Read the Docs.