Password strength
Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. When password complexity policy is enforced, new passwords must meet the following guidelines:
• The password does not contain a dictionary word or the account name of the user or company.
• The password is at least eight (8) characters long and can be up to 128 characters long.
• The password contains characters from three of the following four categories: o Latin uppercase letters (A through Z) o Latin lowercase letters (a through z) o Base 10 digits (0 through 9) o Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%). o not more than 2 identical characters …show more content…
Once that's been done, the link is invalid.
• The link needs to expire if not used within 7 day period
Automatic Session Expiration
OWASP Session Management
In order to minimize the time period an attacker can launch attacks over active sessions and hijack them, it is mandatory to set expiration timeouts for every session, establishing the amount of time a session will remain active. Insufficient session expiration by the web application increases the exposure of other session-based attacks, as for the attacker to be able to reuse a valid session ID and hijack the associated session, it must still be active.
• Idle Timeout o All sessions should implement an idle or inactivity timeout o inactivity timeout defines the amount of time a session will remain active in case there is no activity in the session o closing and invalidating the session upon the defined idle period since the last HTTP request received by the web application for a given session ID.
• Absolute Timeout o All sessions should implement an absolute timeout , regardless of session
Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. When password complexity policy is enforced, new passwords must meet the following guidelines:
• The password does not contain a dictionary word or the account name of the user or company.
• The password is at least eight (8) characters long and can be up to 128 characters long.
• The password contains characters from three of the following four categories: o Latin uppercase letters (A through Z) o Latin lowercase letters (a through z) o Base 10 digits (0 through 9) o Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%). o not more than 2 identical characters …show more content…
Once that's been done, the link is invalid.
• The link needs to expire if not used within 7 day period
Automatic Session Expiration
OWASP Session Management
In order to minimize the time period an attacker can launch attacks over active sessions and hijack them, it is mandatory to set expiration timeouts for every session, establishing the amount of time a session will remain active. Insufficient session expiration by the web application increases the exposure of other session-based attacks, as for the attacker to be able to reuse a valid session ID and hijack the associated session, it must still be active.
• Idle Timeout o All sessions should implement an idle or inactivity timeout o inactivity timeout defines the amount of time a session will remain active in case there is no activity in the session o closing and invalidating the session upon the defined idle period since the last HTTP request received by the web application for a given session ID.
• Absolute Timeout o All sessions should implement an absolute timeout , regardless of session