Hi, how are you? I wanted to bring this topic. I understand that the reason the @foal/password package was removed is because most common passwords were in English.
What is OWASP?
Explained in my words, it is a "community" security standard, accepted by many companies as a "security basic manual". From time to time they make a top 10 vulnerabilities that most affect projects, and how to solve or mitigate them.
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
The OWASP Top 10 is primarily an awareness document. However, this has not stopped organizations using it as a de facto industry AppSec standard since its inception in 2003. If you want to use the OWASP Top 10 as a coding or testing standard, know that it is the bare minimum and just a starting point
In the Top 10, the "OWASP Top 10:2021 A07 Identification and Authentication Failures" caught my attention.
I marked in bold the point that caught my attention.
Description:
(...)
Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin".
(...)
And the How to prevent:
(...)
Implement weak password checks, such as testing new or changed passwords against the top 10,000 worst passwords list.
(...)
My point is, that using this list is part of the top 10 of a standard accepted worldwide by many companies.
I think the cost of having @foal/password, along with the benefits it includes, are 100% worth it.
Hi, how are you? I wanted to bring this topic. I understand that the reason the
@foal/password
package was removed is because most common passwords were in English.However, I was reading the OWASP top 10 "standard". Link: https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard
What is OWASP? Explained in my words, it is a "community" security standard, accepted by many companies as a "security basic manual". From time to time they make a top 10 vulnerabilities that most affect projects, and how to solve or mitigate them.
In the Top 10, the "OWASP Top 10:2021 A07 Identification and Authentication Failures" caught my attention.
I marked in bold the point that caught my attention.
https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
Description: (...) Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin". (...)
And the
How to prevent
: (...) Implement weak password checks, such as testing new or changed passwords against the top 10,000 worst passwords list. (...)My point is, that using this list is part of the top 10 of a standard accepted worldwide by many companies.
I think the cost of having @foal/password, along with the benefits it includes, are 100% worth it.
What do you think?
Thank you very much for reading