-
-
Notifications
You must be signed in to change notification settings - Fork 638
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.1.9 seems wrong #1753
Comments
Seems, that CWE is outdated on the topic. A lot of authentication and session management requirements in ASVS are based on NIST research, including password requirements. The table contains also NIST column and refers to 5.1.1.2.
... and there is written: For correction, maybe we need to get rid of the CWE value from the requirement. Title and short description are kind of valid, but section "Phase: Architecture and Design" is in conflict with NIST research. |
No, this requirement was removed in the recent NIST 800-63b standard. They added things like blocking common passwords and stopping credential, stuffing, and other controls that are more effective.
|
Is 2.1.9 right? Shouldn't passwords be required to have mixed character sets (https://cwe.mitre.org/data/definitions/521.html)?
The text was updated successfully, but these errors were encountered: