From 09fd7611f78525b799192305779b8a711260a55f Mon Sep 17 00:00:00 2001 From: Ryan Rudder <96507400+RRudder@users.noreply.github.com> Date: Mon, 15 May 2023 13:18:40 +1000 Subject: [PATCH 1/2] updates to rec for Token is Not Invalidated After Login --- .../recommendations.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/recommendations.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/recommendations.md index d45eb722..8673b0a6 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/recommendations.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/recommendations.md @@ -1,11 +1,11 @@ # Recommendation(s) -The password reset token should be invalidated after a user successfully resets their password and logs into the application. Overall, the password reset implementation should conform to the following guidelines: +It is best practice to invalidate the password reset token after after a user successfully resets their password and logs into the application. Overall, the password reset implementation should conform to the following guidelines: -A secure password policy should be in place for the user to create a strong new password -Password reset tokens should be long to protect against brute force guessing attacks, linked to an individual, invalidated after use, and have a short expiry time -Passwords should be stored and transmitted securely -Once a user’s password has been reset, they should be prompted to login in again through the usual login portal and not automatically signed in +- A secure password policy should be in place for the user to create a strong new password +- Password reset tokens should be long to protect against brute force guessinging attacks, linked to an individual, invalidated after use, and have a short expiry time +- Passwords should be stored and transmitted securely +- Once a user’s password has been reset, they should be prompted to login in again through the usual login portal and not automatically signed in For more information refer to the following guide relating to this vulnerability: From 73fb04ff607dddc4c8e8b4a1beb6943512804275 Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Wed, 15 May 2024 13:45:24 +1000 Subject: [PATCH 2/2] Fixed spelling error on guessing --- .../token_is_not_invalidated_after_login/recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/recommendations.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/recommendations.md index 8673b0a6..d12b69f5 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/recommendations.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/recommendations.md @@ -3,7 +3,7 @@ It is best practice to invalidate the password reset token after after a user successfully resets their password and logs into the application. Overall, the password reset implementation should conform to the following guidelines: - A secure password policy should be in place for the user to create a strong new password -- Password reset tokens should be long to protect against brute force guessinging attacks, linked to an individual, invalidated after use, and have a short expiry time +- Password reset tokens should be long to protect against brute force guessing attacks, linked to an individual, invalidated after use, and have a short expiry time - Passwords should be stored and transmitted securely - Once a user’s password has been reset, they should be prompted to login in again through the usual login portal and not automatically signed in