WebAppSec/Secure Coding Guidelines: Difference between revisions

WebAppSec/Secure Coding Guidelines (view source)

105 bytes added , 27 August 2010

Confirmed users

491

edits

@@ Line 37: / Line 37: @@
 === Password Reset Functions ===
-If a user has not requested a password reset, it would be nice if the user was
+The password reset page will accept the username and then send an email with a password reset link to the stored email address for that account.
-given the option to cancel that request. This would also be a good logging
-point too.
-We should hash the current and previous passwords and during a failed login
+The following message should be returned to the user regardless if the username or email address is valid.
-process, do a compare against these records. If they are different, this event
-would be higher then just a failed password attempt. We should also store the
+  An email has been sent to the requested account with further information. If
-last couple of failed passwords as a hash and also do a compare against them
+  you do not receive an email then please confirm you have entered the same
-too. This would be to detect if somebody is trying to brute force an account
+  email address used during account registration.
-which would generate a critical log message.
+We do not want to provide any information that would allow an attacker to determine if an entered username/email address is valid or invalid. Otherwise an attacker could enumerate valid accounts for phishing attacks or brute force attack.
 ===Password Storage===