R332. Prevent the use of breached passwords

Requirement

The system must check new passwords against a list of 1000 to 10000 breached passwords.

Description

There exist various mechanisms for cracking passwords that use public lists containing breached credentials. Systems must check submitted passwords against some of these lists and prevent account creation and password update operations that use passwords contained in them.

References

  1. CWE-521: Weak Password Requirements The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

  2. NIST 800-63B 5.1.1.2 Memorized Secret Verifiers Verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.

  3. OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.7) Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally or using an external API.

  4. OWASP-ASVS v4.0.1 V2.2 General Authenticator Requirements.(2.2.1) Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy