Open in app

Sign in

Write

Sign in

“Transitioning to a Post-Password Future” with OWASP ASVS V4 | Pivot Point Security

Pivot Point Security
2 min readSep 10, 2020

Last Updated on September 16, 2020

The Application Security Verification Standard ( ASVS) from the Open Web Application Security Project ( OWASP) is now at Version 4. Besides being some of the best guidance available for testing web application security, the ASVS also aims to elevate the level of web application security across the board.

Among the most controversial aspects of the OWASP ASVS Version 4 controls is the Authentication Verification Requirements, specifically around passwords.

In this area and several others, ASVS 4 controls “have been adapted to be a compliant subset of selected NIST 800–63b [Digital Identity Guidelines] controls, focused around common threats and commonly exploited authentication weaknesses.” NIST 800–63b views passwords as “pre-breached” and obsolete.

ASVS 4 further states, “… with the release of over 5 billion username and password breaches, it’s time to move on. … We have to start the transition to a post-password future now.”

Daniel continues: “For example , verify that you can have more than 64 character passwords. Verify that your passwords contain spaces, because a lot of us don’t. Verify if you want to, you can have emoji or Kanji or whatever you want in the password, right? So it goes through each of these little steps that, if followed, raise the bar when it comes to security.”

“Things that are the bane of everybody’s life, [like] forcing password changes. Why? So we have it in there, 2.1.10, ‘Verify that there are no periodic credential rotation of password history requirements,’ which was very controversial and a lot of people didn’t like it. But it’s like, ‘We need to mature, we need to grow up,’” asserts Daniel.

If your business is interested in maturing its web application security posture, ASVS 4 is a great place to start. To get Daniel and John’s expert insight about the OWASP ASVS and how it can help, click here to listen to the podcast episode in its entirety. If you don’t use Apple Podcasts, you can find all the episodes from The Virtual CISO Podcast here.

For more (NIST 800–63b-aligned 🙂 information:

Get your download here! Free OWASP ASVS Testing Guide

Originally published at https://www.pivotpointsecurity.com on September 10, 2020.

Owasp Asvs
Passwords

--

--

Pivot Point Security

Written by Pivot Point Security

21 Followers

We are a trusted source of simple, practical, and actionable information security guidance.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams