tags:

views:

91

answers:

3
+3  Q: 

Are there any published frameworks or standards for passwords and website membership?

I am currently working on a project in which we are creating a large public website for my organization. This site is going to allow out clients to register and log in to obtain sensitive personal information.

From experience I know some of the basics like requiring a complex password and requiring an email address for a password reset that are common used.

Basically what I'm looking for is some sort of well documented recommendation or standards(like NIST or ISO) for these kinds of requirements.

I need to present this to a higher level director who is insisting on us:

  • not requiring the users to have an email address
  • asking us to allow the users to have our site display the password back to the user just by verifying a Name, Birthday and SSN
  • emailing the password in plain text as opposed to emailing a temp password and having them come to our site to reset the PW.
  • requiring we assign simple system generated username like first intial, first 3 characters of the last name with a 4 digit randomly generated number. (as opposed to the user picking any name they want)

If I can present some type of industry standard on why these are such risks it would really help.

+1  A: 

The W3C has a security group with a load of bumf. It may contain something that you want. The WASC also has a lot of info and looks authorative.

Jeremy French  2009-10-14 15:23:07
+2  A: 

OWasp is specifically designed to contain standards for security, although it has a lot of articles that are too specific for what you want. You might want to try their development guide or ask on their forum the same question.

Kathy Van Stone  2009-10-14 15:26:56
+3  A: 

Ok, let me answer the suggestions of your Pointy-Haired director (I understood you know he is just wrong, don't take it personally), I just can't resist:

  • not requiring the users to have an email address

Welcome to fake accounts.

  • asking us to allow the users to have our site display the password back to the user just by verifying a Name, Birthday and SSN

In my country and culture, privacy is a real concern so you'll never get my SSN and I won't register to any site asking this. BTW, if this is an information that can be found on the web (I've heard it's the case in the US), this doesn't seem really secure. Why not a security question to add some personal entropy?

  • emailing the password in plain text as opposed to emailing a temp password and having them come to our site to reset the PW.

LOL! First, how would you do this if you don't have the user's email address (and didn't verify it during registration)? Then, being able to send a password back means that you aren't going to store hashes of salted passwords. Bad idea. Is you director planning to store clear passwords (in the worst case) or to use symmetric encryption (in the best case)? In the later case, I'd like to know where he's planning to store the symmetric encryption key. Maybe on a post-it note under his keyboard. Not sure it's worth to mention that email is not secured.

  • requiring we assign simple system generated username like first initial, first 3 characters of the last name with a 4 digit randomly generated number (as opposed to the user picking any name they want)

Having a system suggesting available usernames is ok (especially when it's hard to find an available one) but I don't like when they don't allow me to choose a username. Having that said, I don't consider forcing a username as a major threat.

So, in other words, I really wouldn't trust a site with such practices and wouldn't give it any sensible information. Actually, I wouldn't give any information at all (i.e. not register) but I'm not the lambda user.

I know this is not a direct answer to the question but, seriously, when will people with absolutely no clue about something start to let people with a better understanding do their work? This is so ridiculous.

Now, some suggestions to answer the question:

Pascal Thivent  2009-10-14 18:31:46
+1 for addressing the talking points (almost -1 for being pompous about it ;-)
Metro Smurf  2009-10-14 19:49:43

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security