repositories
/
ssproject1617.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
f907dd3
)
Fix V2 auth meaning of "not applicable"
author
Daan Sprenkels
<dsprenkels@gmail.com>
Fri, 18 Nov 2016 11:05:55 +0000
(12:05 +0100)
committer
Daan Sprenkels
<dsprenkels@gmail.com>
Fri, 18 Nov 2016 11:06:32 +0000
(12:06 +0100)
report/v2_authentication.tex
patch
|
blob
|
history
diff --git
a/report/v2_authentication.tex
b/report/v2_authentication.tex
index
69d1d00
..
d2407c4
100644
(file)
--- a/
report/v2_authentication.tex
+++ b/
report/v2_authentication.tex
@@
-241,20
+241,28
@@
e-mail or SMS should be a last resort and is known weak.
e-mail, which is considered weak (but not unsafe).
\end{result}
e-mail, which is considered weak (but not unsafe).
\end{result}
-\notapplicable{\item
+\item
+\fail{}
Verify that account lockout is divided into soft and hard
lock status, and these are not mutually exclusive. If an
account is temporarily soft locked out due to a brute force
attack, this should not reset the hard lock status.
Verify that account lockout is divided into soft and hard
lock status, and these are not mutually exclusive. If an
account is temporarily soft locked out due to a brute force
attack, this should not reset the hard lock status.
-% The application has not implemented any lockout mechanisms.
-}
+\begin{result}
+ The application has not implemented any lockout mechanisms.
+\end{result}
-\notapplicable{\item
+\item
+\pass{}
Verify that if shared knowledge based questions (also
known as ``secret questions'') are required, the questions
do not violate privacy laws and are sufficiently strong to
Verify that if shared knowledge based questions (also
known as ``secret questions'') are required, the questions
do not violate privacy laws and are sufficiently strong to
-protect accounts from malicious recovery.}
+protect accounts from malicious recovery.
+
+\begin{result}
+ The application uses no shared knowledge based questions, and thus not
+ violate any privacy laws.
+\end{result}
\item
\fail{}
\item
\fail{}
@@
-266,12
+274,15
@@
use of a configurable number of previous passwords.
require variation in the use of different passwords.
\end{result}
require variation in the use of different passwords.
\end{result}
-\notapplicable{\item
+\item
+\pass{}
Verify that risk based re-authentication, two factor or
Verify that risk based re-authentication, two factor or
-transaction signing is in place for high value transactions.
}
+transaction signing is in place for high value transactions.
-% There are no (really) risk based action or which re-authentication would be
-% fit
+\begin{result}
+ There are no (really) risk based action or which re-authentication would be
+ fit.
+\end{result}
\item
\fail{}
\item
\fail{}
@@
-283,36
+294,45
@@
commonly chosen passwords and weak passphrases.
use some password strength estimator like \texttt{zxcvbn}\footnote{\url{https://github.com/dropbox/zxcvbn}}.
\end{result}
use some password strength estimator like \texttt{zxcvbn}\footnote{\url{https://github.com/dropbox/zxcvbn}}.
\end{result}
+\notapplicable{
\item
\item
-\fail{}
+
%
\fail{}
Verify that all authentication challenges, whether
successful or failed, should respond in the same average
response time.
Verify that all authentication challenges, whether
successful or failed, should respond in the same average
response time.
-\begin{result}
- String comparisation for checking password hases and password reset tokens
- are not in constant time.
-\end{result}
+% \begin{result}
+% String comparisation for checking password hashes and password reset
+% tokens are not in constant time.
+% \end{result}
+}
+\notapplicable{
\item
\item
-\fail{}
+
%
\fail{}
Verify that secrets, \API{} keys, and passwords are not
included in the source code, or online source code
repositories.
Verify that secrets, \API{} keys, and passwords are not
included in the source code, or online source code
repositories.
-\begin{result}
- The database credentials are hard coded in \code{config.php}. These
- credentials should ideally be passed using environment variables.
-\end{result}
+% \begin{result}
+% The database credentials are hard coded in \code{config.php}. These
+% credentials should ideally be passed using environment variables.
+% \end{result}
+}
\setcounter{enumi}{30}
\setcounter{enumi}{30}
-\notapplicable{\item
+\item
+\fail{}
Verify that if an application allows users to authenticate,
they can authenticate using two-factor authentication or
other strong authentication, or any similar scheme that
provides protection against username + password
Verify that if an application allows users to authenticate,
they can authenticate using two-factor authentication or
other strong authentication, or any similar scheme that
provides protection against username + password
-disclosure.}
+disclosure.
+
+\begin{result}
+ No surch features are implemented.
+\end{result}
\item
\fail{}
\item
\fail{}