elarlang
commented
4 years ago Well, I dig to it more deeply.
Password change functionality
Current:
- V2.1.5 Verify users can change their password.
- V2.1.6 Verify that password change functionality requires the user's current and new password.
- V2.1.10 Verify that there are no periodic credential rotation or password history requirements.
Recommendations:
- [x] Recommendation no 1: Split V2.1.10 to 2 different requirements. First part is for functionality, second part for password content.
- moved to issue #940
Password format (min length, max length, allowed characters)
Current:
- V2.1.1 Verify that user set passwords are at least 12 characters in length.
- V2.1.2 Verify that passwords 64 characters or longer are permitted.
- V2.1.3 Verify that passwords can contain spaces and truncation is not performed. Consecutive multiple spaces MAY optionally be coalesced.
- V2.1.4 Verify that Unicode characters are permitted in passwords. A single Unicode code point is considered a character, so 12 emoji or 64 kanji characters should be valid and permitted.
- V2.1.9 Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.
Recommendations:
- [x] Recommendation no 2: add requirement, that all ascii chars must be allowed for password. From NIST 5.1.1.2:
- fixed by issue #691
All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets.
- fixed by issue #691
Note: from NIST point of view, requirements for "max length 64", "allow all ascii chars", "allow unicode" and "no composition rules" are with keyword SHOULD.
Password content
Current:
- V2.1.7 Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password.
- V2.1.10 Verify that there are no periodic credential rotation or password history requirements.
Problems:
- V2.1.7 is a monster - contains 3 different requirements
- V2.1.7 is looking only for breaches, must look "password blacklist" in general
NIST 5.1.1.2:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
Recommendations:
- Recommendation no 3: V2.1.7 - split it to 3 different requirements (remove current version of V2.1.7)
- Recommendation no 4: add requirement, that password should not contain dictionary words and "1337 speaking version" of them (example: password > pa55w0rd) (part of passwords blacklist)
- you may argue, that with min length 12 list of dictionary words are quite limited, in real world I can not see min length for 12 happening any time soon, because sites and businesses want to keep their visitors.
- Recommendation no 5: add requirement, that password should not contain expected and context-specific words, like user data or site data and "1337 speaking version" of them (example: owaspasvs > 0wa5pasvs) (part of passwords blacklist).
- Recommendation no 6: add requirement (first part of current V2.1.7), that password can not be something, which is available in breaches (part of passwords blacklist)
- [x] Recommendation no 7: add requirement (second part of current V2.1.10), that application must not blacklist previously used passwords and must not keep password history
- if application keeps password history and it leaks, it causes even more damage
- moved to issue #940
- Recommendation no 8: add requirement (modified first part of V2.1.7) Verify that passwords submitted during account registration, login, and password change are checked against password blacklist.
- It makes sense to check it against password blacklist, not only against breaches. If blacklist is modified, it affects all users.
- Recommendation no 9: add requirement (replaces last part of V2.1.7), that if on authentication, password is found from blacklist, user is forced to change it.
- Recommendation no 10: add requirement (replaces last part of V2.1.7), that if on authentication, password is found from breach, user is forced to reactivate account.
- If password is found from / available in breach, it's possible, that some attacker authenticated.
- I kept it separate from previous one, to be able to set this requirement from Level 2 or Level 3.
- Recommendation no 11: add requirement (middle part of V2.1.7), If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password.
Note: from NIST point of view, requirements for "no periodic change" and "allow unicode" are with keyword SHOULD.
Userinterface requirements
Current:
- V2.1.8 Verify that a password strength meter is provided to help users set a stronger password.
- V2.1.11 Verify that "paste" functionality, browser password helpers, and external password managers are permitted.
- V2.1.12 Verify that the user can choose to either temporarily view the entire masked password, or temporarily view the last typed character of the password on platforms that do not have this as native functionality.
Recommendations:
Recommendation no 12: split V2.1.11 to separate requirements. At least "paste" and rest of it separately.- update: does not matter too much, let it be.
Discussion: V2.1.11 "browser password helpers" - does it mean "autocomplete"? Personally I don't think it's best idea, because it's possible to read autofilled credentials from authentication form with XSS on background without any user-interaction at all or with one keypress or click on site needed (depends on browser). If I compare risks or likelyhoods - I guess XSS is widespread enough compared to "with autocomplete users may use stronger password".
In NIST, all mentioned "requirements" are with keyword SHOULD. From "Legend" in OWASP ASVS (example https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md), those requirements must have "mark" o "Recommended, but not required" instead of ✓ "Required".
averell23
jmanico
tghosth
stiiin
By rules, how weak can be password
And if someone says weak, then... weak against what?
Weak against brute force
and
By current rules, ASVS v4 accepts password with only numbers and 12 symbols long. It's about the same strong as capital-letter + lower-case letters + numbers and 7 symbols long.
1028071702528[A-Za-z0-9]71111111111110[0-9]122821109907456[a-z0-9]85429503678976[a-z]953459728531456[A-Za-z0-9]8I think requirement V2.1.9 needs some modification. Only numbers are not ok. Can not really write this kind of recommendation to pen-test report.
Weak against dictionary attacks
In theory, it should keep passwords okeish against dictionary attacks.
I personally miss one more requirement, with meaning (but not given wording):
User must avoid simple-stupid-predictable-passwords, like:
Using personal data or site name as password is widespread behavior and this kind of weak passwords give more realistic attack vector (online dictionary attacks) compared to offline (how you got hashes!?) brute force or using massive breach data sets.