Web security
- A practical security guide for web developers
- Projects/OWASP Secure Web Application Framework Manifesto/Releases/Current/Manifesto - OWASP
- HTML5 Security Cheatsheet and HTML5 Security Cheatsheet
- The Open Web Application Security Project - OWASP
- Everything you need to know about HTTP security headers - Appcanary
Authentification
- Authentication Cheat Sheet - OWASP
- Authentication — Wikipedia
- Category:Authentication methods — Wikipedia
- The Current State Of Authentication: We Have A Password Problem – Smashing Magazine
- Security token — Wikipedia
- Password — Wikipedia
- GRC's | SQRL Secure Quick Reliable Login
- teesloane/Auth-Boss: Become an Auth Boss. Learn about different authentication methodologies on the web.
“Invalid Username or Password”, a useless security measure
You can confirm if an username exist by trying to create an new account with the same username.
https://kev.inburke.com/kevin/invalid-username-or-password-useless/
- Rate limiting can go a fair way to preventing brute force attacks. To find email addresses, an attacker is going to need to try a lot of email addresses and/or a lot of passwords, and get a lot of them wrong. Consider throttling invalid login attempts by IP address or subnet. Check submitted passwords against a dictionary of common passwords (123456, monkey, etc) and ban that traffic extra hard. Exponential backoff (forcing attackers to try again after 1, 2, 4, 8, 16.. seconds) is useful.
- Give guidance to users about creating strong passwords. Allow easy integration with LastPass or 1Password.
- Add a 2-factor auth option to your website. Encourage users to use it.
- Warn users about malicious behavior ("someone is trying to snoop your password") and contact them about suspicious logins.
Password
Password rules
User (advices):
- use long password
- use mix of special chars, numbers, higher case and lowercase
Implementation:
- show advices and use detection rules to show warnings
- long password (at least 8 chars, never max at least 30 chars)
- don't allow password be equal to the username or the email address
- don't disallow copy/past. It wont increase protection:
- Troy Hunt: The “Cobra Effect” that is disabling paste on password fields
- Let them paste passwords - NCSC Site
- Le copier coller est possible dans les champs de formulaire. - Bonne pratique N° 104 - Check-list Opquast Website V3 - Opquast Check-lists
Password strength:
- https://cups.cs.cmu.edu/meter/ - cupslab/password_meter: This project implements a data-driven password meter. Its effects on password security and usability were evaluated in the following publication: http://www.blaseur.com/papers/CHI17meter.pdf and a demo is available at: https://cups.cs.cmu.edu/meter/
- https://github.com/dropbox/zxcvbn and https://github.com/bjeavons/zxcvbn-php
- javascript - Password Strength Meter - Stack Overflow
- Password Strength Checker
- https://github.com/aarondo/Strength.js
- password meter - JSFiddle
- https://github.com/danpalmer/jquery.complexify.js
- Reusable Security: New Paper on Password Security Metrics - "Shannon entropy" (longer is stronger) is false
- Password strength — Wikipedia
SSO (Single sign-on)
If credentials leak, this could give access to more than one application/website.
Examples: OAuth, Google, Facebook, Twitter, LinkedIn, Github, etc.
Password hash cracking
Fcrack zip
sudo port install fcrackzip
-l (#-#): specify the minimum and maximum length of passwords to check -b : use brute force to crack the password -c (charset): specify the character set to use -u : unzip / filter incorrect passwords
Client certificate
Authenticate clients with certificates
- SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.2
- Technology/KnowledgeBase/ClientCerts - CAcert Wiki
- FAQ/ImportRootCert - CAcert Wiki
- FAQ/BrowserClients - CAcert Wiki
- Installing the Certificate through the Web Browser and Using client side ssl certificates in firefox and chrome
- ssl - How to install trusted CA certificate on Android device? - Stack Overflow