From 0b83193fd92358220fb76b832fa6a4872e13009c Mon Sep 17 00:00:00 2001 From: Ryan Rudder <96507400+RRudder@users.noreply.github.com> Date: Thu, 11 May 2023 16:10:39 +1000 Subject: [PATCH] updates to rec for long time expiry of token --- .../token_has_long_timed_expiry/recommendations.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/recommendations.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/recommendations.md index 127f20e9..ad14a615 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/recommendations.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/recommendations.md @@ -2,10 +2,10 @@ The password reset token expiry time should be shortened to reduce the attack surface. Overall, the password reset implementation should conform to the following guidelines: -A secure password policy should be in place for the user to create a strong new password -Password reset tokens should be long to protect against brute force guessinging attacks, linked to an individual, invalidated after use, and have a short expiry time -Passwords should be stored and transmitted securely -Once a user’s password has been reset, they should be prompted to login in again through the usual login portal and not automatically signed in +- A secure password policy should be in place for the user to create a strong new password +- Password reset tokens should be long to protect against brute force guessinging attacks, linked to an individual, invalidated after use, and have a short expiry time +- Passwords should be stored and transmitted securely +- Once a user’s password has been reset, they should be prompted to login in again through the usual login portal and not automatically signed in For more information refer to the following guide relating to this vulnerability: