ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

2.6.4 looks rather weak

Open jmanico opened this issue 1 year ago • 8 comments

4 characters for a lookup secret (which is used in account recovery) looks SUPER weak and should be increased.

2.6.4 [ADDED] Verify that lookup secrets have a minimum of 20 bits of entropy (typically 4 random alphanumeric characters or 6 random digits is sufficient).   330 5.1.2.2

jmanico avatar Apr 18 '23 14:04 jmanico

2.7.6 also looks weak and may be a duplicate of 2.6.4

2.7.6 [MODIFIED] Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically 4 random alphanumeric characters or 6 random digits is sufficient).   310 5.1.3.2

jmanico avatar Apr 18 '23 14:04 jmanico

@jmanico I agree with your assessment of 2.6.4. The list of pre-generated codes should have much higher entropy. 2.7.6 is a bit different. 2.7 talks about items like Google Authenticator or other TOTP tools. A six-digit numeric code has 25.8 bits of entropy, which is largely the norm now.

I think 2.6.4 should be bumped to at least 50 bits of entropy. That's only a 32-digit numeric code. If a UUID4 is used, it bumps up to 128 bits.

As a side note... it makes sense to bump 2.7.6 to 25 bits of entropy?

mgargiullo avatar Apr 26 '23 16:04 mgargiullo

4 characters for a lookup secret (which is used in account recovery) looks SUPER weak and should be increased.

2.6.4 [ADDED] Verify that lookup secrets have a minimum of 20 bits of entropy (typically 4 random alphanumeric characters or 6 random digits is sufficient).   330 5.1.2.2

@jmanico This comes straight from the NIST guidance.

2.7.6 also looks weak and may be a duplicate of 2.6.4

2.7.6 [MODIFIED] Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically 4 random alphanumeric characters or 6 random digits is sufficient).   310 5.1.3.2

@jmanico Again. this comes straight from the NIST guidance.

These points make me think we need to consider how we apply/interpret the NIST guidance going forward because I agree it is confusing.

I am going to leave this issue open but it should be handled in the major rework exercise for this chapter.

tghosth avatar Jun 15 '23 11:06 tghosth

NIST guidance here is very bad. NIST also suggests using social security numbers as a username. Let's be better than NIST!

jmanico avatar Aug 30 '23 13:08 jmanico

I'd like to suggest a change for 2.6.4/276

2.6.4 [CHANGED] Verify that lookup secrets have a minimum of 128 bits of entropy (or 32 hex characters are sufficient).   330 5.1.2.2
2.7.6 [MODIFIED] Verify that the initial authentication code is generated by a secure random number generator, containing at least 128 bits of entropy (or 32 hex characters are sufficient).   310 5.1.3.2

Reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities

jmanico avatar Sep 27 '23 07:09 jmanico