v2 Authentication verification requirementsΒΆ
- 2.1 Principle of complete mediation
- 2.2 Password fields
- 2.4 Server side enforcement
- 2.6 Fails securely
- 2.7 Allows for strong passwords
- 2.8 All account identity authentication functions are secure
- 2.9 All credential changes are secure
- 2.12 All authentication decisions are logged
- 2.13 Account passwords are salted properly
- 2.16 Strongly encrypted transport
- 2.17 No clear text passwords
- 2.18 No username enumeration
- 2.19 No default passwords
- 2.20 Protects against brute force attacks
- 2.21 External service credentials are encrypted and protected
- 2.22 Password recovery is well implemented
- 2.23 Password recovery can not be used to lock out users
- 2.24 No “secret” questions
- 2.25 Supports configuration to disallow previous passwords
- 2.26 Sensitive operations are sufficiently protected
- 2.27 Block common or weak passwords / passphrases
- 2.28 Authentication success or failure should take equal time
- 2.29 Secrets are not included in the source code
- 2.30 Use a proven secure authentication mechanism
- 2.31 Protects against username & password disclosure
- 2.32 Admin is not accessible for untrusted parties