X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv2_authentication.tex;h=d2407c4c254d0fb9414a6ba4b40233c5a9ae9496;hb=3c8879cf6599fdcea20ac18910260e929d65bec4;hp=ea7cbe59f6e0af0c107f3bb373cfedd33c7dff88;hpb=ab07a45a03cd0b93541d8238e6006441158f5230;p=ssproject1617.git diff --git a/report/v2_authentication.tex b/report/v2_authentication.tex index ea7cbe5..d2407c4 100644 --- a/report/v2_authentication.tex +++ b/report/v2_authentication.tex @@ -221,8 +221,8 @@ stored in a protected location. However, the installation instructions state the following: \begin{verbatim} -Change the file permissions to allow all users write access to the folder -you extracted testcms to. +Change the file permissions to allow all users write access to the +folder you extracted testcms to. \end{verbatim} This implies making the configuration file readable for all users on the system. This information should not be accessible for any user other than @@ -241,20 +241,28 @@ e-mail or SMS should be a last resort and is known weak. e-mail, which is considered weak (but not unsafe). \end{result} -\notapplicable{\item +\item +\fail{} Verify that account lockout is divided into soft and hard lock status, and these are not mutually exclusive. If an account is temporarily soft locked out due to a brute force attack, this should not reset the hard lock status. -% The application has not implemented any lockout mechanisms. -} +\begin{result} + The application has not implemented any lockout mechanisms. +\end{result} -\notapplicable{\item +\item +\pass{} Verify that if shared knowledge based questions (also known as ``secret questions'') are required, the questions do not violate privacy laws and are sufficiently strong to -protect accounts from malicious recovery.} +protect accounts from malicious recovery. + +\begin{result} + The application uses no shared knowledge based questions, and thus not + violate any privacy laws. +\end{result} \item \fail{} @@ -266,12 +274,15 @@ use of a configurable number of previous passwords. require variation in the use of different passwords. \end{result} -\notapplicable{\item +\item +\pass{} Verify that risk based re-authentication, two factor or -transaction signing is in place for high value transactions.} +transaction signing is in place for high value transactions. -% There are no (really) risk based action or which re-authentication would be -% fit +\begin{result} + There are no (really) risk based action or which re-authentication would be + fit. +\end{result} \item \fail{} @@ -283,36 +294,45 @@ commonly chosen passwords and weak passphrases. use some password strength estimator like \texttt{zxcvbn}\footnote{\url{https://github.com/dropbox/zxcvbn}}. \end{result} +\notapplicable{ \item -\fail{} +% \fail{} Verify that all authentication challenges, whether successful or failed, should respond in the same average response time. -\begin{result} - String comparisation for checking password hases and password reset tokens - are not in constant time. -\end{result} +% \begin{result} +% String comparisation for checking password hashes and password reset +% tokens are not in constant time. +% \end{result} +} +\notapplicable{ \item -\fail{} +% \fail{} Verify that secrets, \API{} keys, and passwords are not included in the source code, or online source code repositories. -\begin{result} - The database credentials are hard coded in \code{config.php}. These - credentials should ideally be passed using environment variables. -\end{result} +% \begin{result} +% The database credentials are hard coded in \code{config.php}. These +% credentials should ideally be passed using environment variables. +% \end{result} +} \setcounter{enumi}{30} -\notapplicable{\item +\item +\fail{} Verify that if an application allows users to authenticate, they can authenticate using two-factor authentication or other strong authentication, or any similar scheme that provides protection against username + password -disclosure.} +disclosure. + +\begin{result} + No surch features are implemented. +\end{result} \item \fail{}