Account and password security OWASP guidelines

Posted: January 26, 2018 at 11:05 AM Quote #199825
Please can NopCommerce consider following OWASP guidelines for Account and password security out of the box. This will greatly help meet the GDPR regulations. A guide can be found here: https://www.owasp.org/index.php/Authentication_Cheat_Sheet currently it falls down badly on account enumeration and other aspects could be greatly improved.

Also, please consider a third option for password storage to be the hashed password encased in encryption. A good article (as well as contained within the previous link) can be found here: https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/

Lastly, although I am not expecting out of the box support, but easy integration would be nice, it would be good if the user enters a password, it is checked against a list of known insecure passwords like this: https://haveibeenpwned.com/Passwords


PS, off topic but a good way to guard against XSS attacks would be to allow Content security policies to be added through the interface (if not already added out the box), see https://www.owasp.org/index.php/Content_Security_Policy. They can easily be generated through fiddler and a CSP plugin (available on GitHub).
This post/answer is useful
1
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: January 31, 2018 at 4:18 AM Quote #200006
Just to add to this, a good guide on how NopCommerce can transition from SH1 hashes to something more secure can be found at: https://veggiespam.com/painless-password-hash-upgrades/
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Premium support services
  • Dedicated premium support services provided by core developers are intended for persons who run mission critical websites, work on projects with tight deadlines, or want to get dedicated support.
Professional services
  • Want to open a new store? Want to take your store to the next level? Need a custom extension? We can customize nopCommerce to fit your store perfectly. Request a quote to get started.