开发者

Are there any published frameworks or standards for passwords and website membership?

I am currently working on a project in which we are creating a large public website for my organization. This site is going to allow out clients to register and log in to obtain sensitive personal information.

From experience I know some of the basics like requiring a complex password and requiring an email address for a password reset that are common used.

Basically what I'm looking for is some sort of well documented recommendation or standards(like NIST or ISO) for these kinds of requirements.

I need to present this to a higher level director who is insisting on us:

  • not requiring the users to have an email address
  • asking us to allow the users to ha开发者_StackOverflowve our site display the password back to the user just by verifying a Name, Birthday and SSN
  • emailing the password in plain text as opposed to emailing a temp password and having them come to our site to reset the PW.
  • requiring we assign simple system generated username like first intial, first 3 characters of the last name with a 4 digit randomly generated number. (as opposed to the user picking any name they want)

If I can present some type of industry standard on why these are such risks it would really help.


Ok, let me answer the suggestions of your Pointy-Haired director (I understood you know he is just wrong, don't take it personally), I just can't resist:

  • not requiring the users to have an email address

Welcome to fake accounts.

  • asking us to allow the users to have our site display the password back to the user just by verifying a Name, Birthday and SSN

In my country and culture, privacy is a real concern so you'll never get my SSN and I won't register to any site asking this. BTW, if this is an information that can be found on the web (I've heard it's the case in the US), this doesn't seem really secure. Why not a security question to add some personal entropy?

  • emailing the password in plain text as opposed to emailing a temp password and having them come to our site to reset the PW.

LOL! First, how would you do this if you don't have the user's email address (and didn't verify it during registration)? Then, being able to send a password back means that you aren't going to store hashes of salted passwords. Bad idea. Is you director planning to store clear passwords (in the worst case) or to use symmetric encryption (in the best case)? In the later case, I'd like to know where he's planning to store the symmetric encryption key. Maybe on a post-it note under his keyboard. Not sure it's worth to mention that email is not secured.

  • requiring we assign simple system generated username like first initial, first 3 characters of the last name with a 4 digit randomly generated number (as opposed to the user picking any name they want)

Having a system suggesting available usernames is ok (especially when it's hard to find an available one) but I don't like when they don't allow me to choose a username. Having that said, I don't consider forcing a username as a major threat.


So, in other words, I really wouldn't trust a site with such practices and wouldn't give it any sensible information. Actually, I wouldn't give any information at all (i.e. not register) but I'm not the lambda user.

I know this is not a direct answer to the question but, seriously, when will people with absolutely no clue about something start to let people with a better understanding do their work? This is so ridiculous.


Now, some suggestions to answer the question:

  • The Definitive Guide To Website Authentication (beta)
  • Best practices for web login / authentication?
  • The OWASP's Guide to Authentication
  • The Weak Password Recovery Validation from the WASC Threat Classification


OWasp is specifically designed to contain standards for security, although it has a lot of articles that are too specific for what you want. You might want to try their development guide or ask on their forum the same question.


The W3C has a security group with a load of bumf. It may contain something that you want. The WASC also has a lot of info and looks authorative.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜