Closed sandyblizzard closed 10 months ago
Hi @sandyblizzard,
Sorry for the delay in responding to this. I think this is fantastic and would love for you to work on it.
The only comment I have is around password strength controls:
The 3rd section would be on password policies. Specifically, passwords should be rotated periodically, historical passwords should not be allowed and the top 100k passwords should be disallowed. The current year should also not be allowed as a portion of the password; otherwise users may use the same base password in combination with the current year.
I would recommend trying to keep this guidance consistent with the guidelines in the Authentication Cheat Sheet and the links provided there, particularly ASVS (updated link). It's likely that the Authentication Cheat Sheet will itself need an update and this may be an opportune time to handle that as well, once you're working on this topic.
Thanks! Good point on the password strength; I am reviewing the authentication cheat sheet. I've already noticed that the ACS uses the term 'user enumeration' while I am using 'account validation'. I plan on adopting the existing term instead.
As an update, I will be putting in a pull request with proposed changes early next on Nov 6th or 7th.
What is missing or needs to be updated?
The Credential Stuffing Prevention Cheat Sheet would benefit from numerous additions that reflect the current state of credential stuffing attacks.
How should this be resolved?
The cheat sheet should incorporate information regarding account validation attacks. This is a related attack that may proceed credential stuffing, where a bad actor identifies what accounts exist on a platform. Invalid accounts are pruned from their credential list, thereby increasing the efficiency of a subsequent credential stuffing attack. This type of attack will typically abuse a customer sign-up process that rejects the creation of new accounts when usernames or email address are already in use.
The IP Block list section could use numerous updates, especially when considering credential stuffing against customer facing authentication endpoints.
Require unpredictable usernames section should be reformatted into three sections.
The defense in depth section should have several items added to it:
A section on operational security considerations should be added. Namely, the idea that an authentication endpoint should not give an indication that the password succeed or failed when additional checks, such as MFA are performed. As an example, if a user must enter the correct password to see the MFA screen, a bad actor could leverage this as an indicator that the password was correct. Further, security staff may see a large volume of authentication attempts with 0% success rate due to MFA failures, and incorrectly conclude defenses worked as intended.
A more extreme rewrite of the cheat sheet could be organized in the following fashion: