search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.1k stars 3.8k forks source link

Update: Credential_Stuffing_Prevention_Cheat_Sheet #1315

Open SCFTW opened 5 months ago

SCFTW commented 5 months ago

What is missing or needs to be updated?

A couple of suggestions for the Credential Stuffing cheat sheet:

  1. MFA section should link to MFA cheat sheet (reciprocating the link to cred stuffing from MFA)
  2. With 2023 expansion in support for FIDO2 passkeys, the line that MFA may not be practical should be replaced with suggestion of passkeys to prevent cred stuffing.

How should this be resolved?

Changes suggested inline above. Could also mention FIDO UAF or U2F device bound software or hardware passkeys as well- not sure if this is getting too far into the weeds for a cheat sheet?

jmanico commented 5 months ago

I like all of these ideas, PR!

mackowski commented 4 months ago

@SCFTW awesome issue. Do you want to make a PR for this?

SCFTW commented 3 months ago

I'm working on these and a few other minor updates to the cred stuffing CS.