password security #1540
Comments
I think those examples are covered in practice with current requirement as most likely those are leaked.
This I have rised myself in #683 (comment) Recommendation no 5: add requirement, that password should not contain expected and context-specific words, like user data or site data and "1337 speaking version" of them (example: owaspasvs > 0wa5pasvs) (part of passwords blacklist). From pen-testing practice, this is one of the most important requirement to have in password topic - people have learned to use "unique" passwords per site, but they too often use site data with some other pattern for that. We ask for PR if we have agreement here in the issue, what kind of change we want/need - otherwise it's discussion over PR's and it's not nice to follow or understand later, why some changes were made. |
not all. In a case I had they checked via haveibeenpwend. They were some sequences in there (API) like the examples NIST gave but if you look at the wording of NIST it's much stronger.. So in a retest it was only possible to add two unique chars in a row.
I stumbled over password = username or password = mail address, password = first or last name , password = name of the site, password = service description of the site .... |
|
And to add: I wouldn't rely on leaked PWs only. So assuming aaaa.... (dots for chars to follow) is in a leaked password list maybe right. But what about bbbb... , ääää...., åååå... or ÇÇÇÇ.... ? Especially for offline attacks that maybe a low handing fruit |
|
I don't agree that allowing mentioned (bbbb... , ääää...., åååå... or ÇÇÇÇ....) passwords make authentication more weak. If we talk about online attacks, amount of attempts must be limited
Those passwords/patterns should not be my first 1000 list. And more popular ones exists already in leakage files or APIs. My point with those - in my opinion the benefit from this (proposed new) requirement is with questionable impact or if there is, it is too small to be worth separate requirement. If you think about risk rating - what is the risk for this finding in the report? How much more secure application is with not allowing those passwords? Or the actual security comes from somewhere else. context specific passwords - and with context specific password I have clear opposite opinion - both based on my own experience as a pentester. People are using too often context specific words as passwords and those are effective as online attacks even when attempts are limited per user and/or per IP. |
I am in general talking about offline and online attacks. With online attacks only I could be way more relaxed concerning the rules if appropriate measures are in place. That's why bbbb... , ääää...., åååå... or ÇÇÇÇ are important to avoid. Don't know whether you know how offline attacks with hashcat and friends work? Also it's a NIST requirement. and I believe we should not weaken that. Why do you believe OWASP should not follow that? This is also true for context specific passwords. This is just crazy. Why should we not say no to "[email protected] as both the username and The password. Or ~"(| |.)" as a password, especially when the login is "[email protected]. This is the first thing I try as a pentester for targetted attacks as it's the lowest handing fruit. And probably smart black hats too. |
|
Against offline attack - first, how did you get the hashes, or were there hashes at all? If they were correctly hashed
Personally I watch this Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’). as composition rule and we have requirement "Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters." My question stays:
|
|
Sorry, I am done with discussing this. If the project thinks, you need to be less strict than NIST, fine. I believe you shouldn't |
I would like to see a PR for this. This is all now very standard password advice right from NIST 800-63b. Good stuff! |
|
You seem to have missed a little context here. The bulleted list to which you refer is introduced by, "For example, the list MAY include, but is not limited to:" In other words, the bulleted list is there merely to provide some ideas for things to include in the blocklist, not as a requirement that any particular thing be included. The intent of the blocklist is primarily to protect against online attacks, and the throttling requirements limit that to 100 guesses per account. Offline attacks should be protected against using good salted hashing, as memory- and compute-hard as practical. Also strongly consider using a secret-keyed hash or encryption, perhaps as a final step, using a very well protected key (perhaps doing this step in a separate processor, TEE/TPM, or the like). It's a very slippery slope what to include in the blocklist, and if you get carried away with a huge one it's easy to end up with very frustrated users. By the way, the thought on "context-specific words" was that perhaps an IRS taxpayer site might have a bunch of people using "Ihatetaxes" (or something ruder) as their password, which is why the blocklist needs to be context specific. Feel free to tag me if you have any more questions on this. Disclaimer: Although I am a co-author of SP 800-63B, I am not a NIST employee and the above comments represent my personal opinion, not an official statement from NIST. Hint, hint: The draft SP 800-63 revision 4 (including SP 800-63B-4) is currently out for public comment; NIST would welcome public comments through March 24, 2023. https://pages.nist.gov/800-63-4/ |
No hard feelings. All requirements should have clear argumentation, why it exists. Just the fact it exists somewhere else (in this case as optional consideration), is not enough. The reason is simple - if we have questionable requirements we will have in the future issues opened with question - what is the point of the requirements and what risk it mitigates. We just removed 2 requirements which also came as optional from NIST (ASVS v4.0.3 requirements 2.1.8, 2.1.12), so I have already went through this "lifecycle". The question I asked here - to have arguments, why some requirements should exists and I provided my arguments. I have proposed requirements and then got arguments against my proposals which I did not have in my mind yet - this is the way how to learn and how to get things clear. This is normal process. Just it's important to read everything pragmatically. In short - @drwetter please keep opening issues with your ideas and concerns, with this issue I think there is material for one new requirement and I'll focus on that. @jmanico - reading through @jimfenton response which says the same points like I did, so you still stand for "PR"? Pushing some thumbs down is not really ... just arguments please. We should have easy answers for those questions:
To be clear, just in case I repeat:
I don't think this requirement is with sufficient impact and it's complicated to develop (compared to potential/theoretical benefit) to be worth requirement in ASVS.
I have used this in pen-tests and I can say (and I have said previously) this is missing requirement from ASVS. |
elarlang
added
the
1) Discussion ongoing
|
Will take care of a PR by the end of the week. PS: That were no hard feelings I had. It's just that my desk is full with other things. And If my arguments weren't convincing I'd rather move on. The thing with pw cracking I'd still need to explain. I have a different stance then Jim F. |
|
I point out my comment from #1540 (comment)
|
|
Ok, there is a lot going on here but I think we need to clarify a few things:
Anything I have not covered? |
In reality, this is one of the lowest hanging fruit for web apps where authentication is done with username-password. Go-ahead from my side. Rest is said in: #1540 (comment) |
|
I'm with Elar, go ahead from my side. |
elarlang
added
3) awaiting proposal
tghosth
added
5) awaiting PR
Can you explain that? |
elarlang
added
the
2) Awaiting response
As I understand it, you want to open a PR with a new requirement focused on "context-specific words". I am saying that I am comfortable with that but the text of the requirement needs to make it very clear what the the implementer actually needs to do or what the tester needs to verify as it seems like it could be very complicated. E.g. are we just expecting them to chose some basic words like the company name and user name or are we expecting them to run a tool like https://github.com/digininja/CeWL and disallow anything it returns? I can see this being a difficult to interpret requirement otherwise. |
|
From NIST: https://pages.nist.gov/800-63-4/sp800-63b.html#memsecretver When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a blocklist that contains values known to be commonly used, expected, or compromised. For example, the list MAY include, but is not limited to:
Starter for the proposal: Problematic parts to solve:
|
|
I think that both the problems you highlight are highly significant and I am not sure we will successfully come up with a requirement that can overcome them... |
|
The key words here are, "For example,". This is just a list of ideas for things that might be included in the blocklist, and is not intended to be normative at all. That said, some of the suggestions do seem oddly specific, and more general examples might be more appropriate. |
tghosth
added
_5.0 - prep
|
Maybe one big ASVS requirement that lists possibilities just like NIST? This is not ideal but would at least address this gap. |
|
In practice I feel it's so important problem to solve that it is worth separate requirement. And in general I like more one thing per requirement solutions. |
I can get behind that. That seems very reasonable, @elarlang The only problem is - some of these requirements are just "for example" and not "you must do this" but we still should address it in some way. Any suggestions on how to make that happen? |
Yes, if it makes sense, we make new requirement and if it does not, we don't make :) No need to overthink. |
|
You’re missing the point Elar. These requirements from NIST are part of the things to consider and are not hard requirements, but we still should put them out there.
|
|
I said with kept that in mind and it is still valid (for me). |
To me, the key challenge is that if we are providing examples rather than explicit rules, how does someone know when they are complying and how does someone validate that an organization is complying? The only way that I can think of handling this is with two requirements along the lines of:
(this second requirement could also be rolled into either 2.1.7 or 2.1.14. |
|
I agree this is a problem. But there are no hard and fast specific rules for password policy, implementors have a wide variety of good choices to choose from. So I suggest we make a specific ASVS rule like "Implementors should choose 3 or more password rules from the following options: a,b,c,d,e,f,g." to turn the choice into a specific rule. |
I think this approach is problematic @jmanico I think that giving them a mix and match makes the standard hard to implement and verify, I would rather give them solid requirements. Do you have major objection to what I mentioned above?
(this second requirement could also be rolled into either 2.1.7 or 2.1.14. |
|
I'm comfortable with your suggestion Josh |
|
@tghosth - Ready to move I guess |
|
Created #1732 |
tghosth
added
6) PR awaiting review
and removed
3) awaiting proposal
I was just testing for a customer their password security and actually I also wanted to link hereto and not only to the NIST password standard (specifically: https://pages.nist.gov/800-63-3/sp800-63b.html#-5112-memorized-secret-verifiers)
But as it turned out, some points in the NIST standard are not in ASVS (https://github.com/OWASP/ASVS/blob/9b80241af66c09f4b8cc75a2d222ca62733e4f5f/5.0/en/0x11-V2-Authentication.md#v21-password-security) if I see that correctly:
Let me know if you like a PR and if so against which branch.
The text was updated successfully, but these errors were encountered: