Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: Authentication_Cheat_Sheet.md #1520

Open
NicolaiSoeborg opened this issue Oct 21, 2024 · 1 comment
Open

Update: Authentication_Cheat_Sheet.md #1520

NicolaiSoeborg opened this issue Oct 21, 2024 · 1 comment
Labels
ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.

Comments

@NicolaiSoeborg
Copy link

What is missing or needs to be updated?

The current Authentication page is not aligned with:

  • best practice for mandatory password rotation (which is to avoid mandatory periodically rotations, see a comparison here: https://søb.org/password/ )
  • OWASP's own "A07:2021 – Identification and Authentication Failures" recommendations (which tells to follow NIST SP 800-63b)

Some good quotes:

NIST: Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)

Microsoft: Password expiration requirements do more harm than good

How should this be resolved?

This line does not make sense:

Ensure credential rotation when a password leak occurs, or at the time of compromise identification.

Password leak occurs all the time, and we do not want to force people to change their (potentially) good password for a new (potentially) bad password. Instead we should "annoy" the user with 2FA/MFA, tell them to use a password manager, etc

Suggestion for a new phrasing:

Avoid requiring periodic password changes; instead, encourage users to pick a strong passwords and enable MFA.
@NicolaiSoeborg NicolaiSoeborg added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Oct 21, 2024
@jmanico
Copy link
Member

jmanico commented Oct 23, 2024

NIST suggests that the only time to rotate passwords is in the case of password data being compromised. So I suggest:

Avoid requiring periodic password changes; instead, encourage users to pick a strong passwords and enable MFA. Consider password rotation only in case of compromise or when authenticator technology is changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmanico @NicolaiSoeborg