search

OWASP / ASVS

Application Security Verification Standard
Creative Commons Attribution Share Alike 4.0 International
2.72k stars 664 forks source link

split from 2.2.1 - disallow account lockout #2134

Open elarlang opened 4 days ago

elarlang commented 4 days ago

Spin-off from https://github.com/OWASP/ASVS/issues/1763#issuecomment-2401626104

As current 2.2.1 requires work, and should have a clear anti-automation goal, it makes sense to separate the lockout part from this.

First question is - do we need this requirement? What NIST says about it? How it can fire back?

In practice - I have seen "enough times" solutions that via some web application authentication form you can lock out an entire organization or company user base with incorrect credentials.

Idea proposal from @tghosth

Verify that malicious users cannot lock out legitimate users and admins through excessive incorrect login attempts?

This serves to goal to explain the idea, but should be written as positive requirement.

tghosth commented 4 days ago

I feel that we satisfy this enough by not requiring lockout and I don't really want a separate requirement but I am open to suggestions.