search

OWASP / ASVS

Application Security Verification Standard
Creative Commons Attribution Share Alike 4.0 International
2.75k stars 669 forks source link

Set Account Lockout ASVS Levels 1-3 Aligned to NIST, PCI-DSS, CIS et al #2011

Closed cmlh closed 1 month ago

cmlh commented 3 months ago

ASVS Requirement 2.2.1 states "... More than 5 failed authentication attempts per hour for a single account should trigger some sort of reaction or alert. ..."

To expand on @TheDauntless comment within https://github.com/OWASP/ASVS/issues/906#issuecomment-782739441 I'd like the ASVS Levels to align within PCI-DSS and CIS.

NIST Special Publication 800-63B sets the limit to <100 as reproduced below:

image

PCI-DSS 4.0.1 sets the limit to 10 as reproduced below:

image

CIS sets the limit to 5 as reproduced below as provided by @TheDauntless:

image

Can we set the limits to <=100, 10, 5 for ASVS Level 1, 2, 3 respectively?

All other issues referencing "lockout"

elarlang commented 1 month ago

Here are two things mixed - the issue title asks to align "account lockout limits" but the content points to rate limiting and account lockout, and those are in conflict with each other (NIST vs PCI)

The direction should be do NOT use lockouts.

We have separate issues to handle those:

Closing this as duplicate.