OWASP Annotated Application Security Verification Standard
latest

Browse by chapter:

  • 1 Architecture, Design and Threat Modeling
  • 2 Authentication
    • 2.1 Password Security Requirements
      • 2.1.1 Passwords are at least 12 characters in length
      • 2.1.2 Passwords can be 64 characters or longer
      • 2.1.3 Passwords can contain spaces
      • 2.1.4 Unicode characters are permitted in passwords
      • 2.1.5 Users can change their password
      • 2.1.6 Password change requires current and new password
      • 2.1.7 Password are checked against breached passwords
      • 2.1.8 A password strength meter is provided
      • 2.1.9 No password character limitations
      • 2.1.10 No periodic credential rotation or password history requirements
      • 2.1.11 “paste” functionality, passwords helpers and password managers are permitted
      • 2.1.12 Temporarily viewable passwords
    • 2.2 General Authenticator Requirements
    • 2.3 Authenticator Lifecycle Requirements
    • 2.4 Credential Storage Requirements
    • 2.5 Credential Recovery Requirements
    • 2.6 Look-up Secret Verifier Requirements
    • 2.7 Out of Band Verifier Requirements
    • 2.8 Single or Multi Factor One Time Verifier Requirements
    • 2.9 Cryptographic Software and Devices Verifier Requirements
    • 2.10 Service Authentication Requirements
  • 3 Session Management
  • 4 Access Control
  • 5 Validation, Sanitization and Encoding
  • 6 Stored Cryptography
  • 7 Error Handling and Logging
  • 8 Data Protection
  • 9 Communications
  • 10 Malicious Code
  • 11 Business Logic
  • 12 Files and Resources
  • 13 API and Web Service
  • 14 Configuration
OWASP Annotated Application Security Verification Standard
  • Docs »
  • 2 Authentication »
  • 2.1 Password Security Requirements

2.1 Password Security Requirements¶

Browse by item:

  • 2.1.1 Passwords are at least 12 characters in length
  • 2.1.2 Passwords can be 64 characters or longer
  • 2.1.3 Passwords can contain spaces
  • 2.1.4 Unicode characters are permitted in passwords
  • 2.1.5 Users can change their password
  • 2.1.6 Password change requires current and new password
  • 2.1.7 Password are checked against breached passwords
  • 2.1.8 A password strength meter is provided
  • 2.1.9 No password character limitations
  • 2.1.10 No periodic credential rotation or password history requirements
  • 2.1.11 “paste” functionality, passwords helpers and password managers are permitted
  • 2.1.12 Temporarily viewable passwords
Next Previous

© Copyright 2019 Wessel van der Linden Revision 63d1bede.

Built with Sphinx using a theme provided by Read the Docs.