1. Software Standards Specification
  2. Software Requirements Definition
  3. Software Best Practices
  4. Input Validation
  5. Output Validation
  6. Cookie Requirements
  7. Access Failure Error Checking
  8. Buffer Overflow
  9. Code Structure
  10. Software Functions
  11. Software Modules
  12. Requirements for Variables
  13. Software Code Comment Requirements
  14. Quality Code Requirements
  15. Software Code Review
  16. Software Code Testing Requirements
  17. Software Change Control

    Security Best Practices

  18. Secure Functional Requirements
  19. Account Creation
  20. Change Password
  21. Forgot Password
  22. Personal Question
  23. Contact Webmaster
  24. CAPTCHA Tests
  25. Answer Verification

Secure Account Creation

When accounts are created several security concerns should be considered.

  • How to prevent interception of the account password by an unauthorized third party.
  • How password resets will be implemented and whether any special account information is required to support the password reset process.
  • Prevent a third party from using cached information on the client computer to compromise the account after the original creator has left the computer.
  • Depending upon the information collected during the account creation process, it may be necessary for the session between the client and server to be encrypted using the HTTPS protocol.
  • Transmission of personal information and any security question used for password reset should be kept separate from transmission of account password.
  • Prevention of robots creating accounts. Use one or more methods including limiting the client ability to attempt to create a number of accounts during a set timeframe, use a CAPTCHA test, or use information that a robot would not fill out the same as a human and check it.

Security Requirements

  • The account password hash should be encrypted using HTTPS when the account is encrypted. The account password hash must be protected from unauthorized third parties both during transmission and storage, therefore it must be transmitted and stored in encrypted format.
  • The account creation/management software must support password requirements including:
    • A password/passphrase length of at least 127 two byte characters must be supported.
    • Minimum complexity rules for passwords must be enforced including minimum length, multiple character types including 3 of 4 types of lower case, upper case, numeric, and special characters.
    • Account lockout for a minimum number of bad logon attempts (normally 3-4) must be supported. Account reset can be automatic and unlocked after a minimum of 30 minutes or may be set so only administrators can unlock the account.
    • The system should create logs of account creation attempts and account access access attempts. Logs should be kept as specified by the data retention policy.
  • The account creation page should use one or more methods to prevent automated creation of accounts including:
    • Limit the client's ability to create more than a set number of accounts from a specific IP address during a set timeframe. Perhaps a 15 second delay in server response for every account creation page attempt. Or measure the amount of time for the page to be filled out and returned after it is loaded. If the time is too short, it may be a machine.
    • When an account is created, the system should send an email to the email the account was created under and require the email address to be verified prior to activation of the account. Accounts not verified within 24 hours should be logged and deleted. The email verification process will reduce the need for the CAPTCHA page.
    • Utilize CAPTCHA test software to prevent spamming of the account creation page.
  • The account creation page should not be cached in the user browser.

Account Information Fields

  • Logon ID (8 characters minimum)
  • Display Name
  • Email address
  • Confirm Email address
  • Password
  • Confirm Password
  • Choice of secure personal information questions that can be used for password reset (if password reset is a feature) and answer. This information must be transmitted and stored in encrypted form and not cached in the user's browser.
  • Some personal information either for site use depending on the type of site or to help with verification of identity including:
    • Birthday MM/YY
    • Height (if adult)
    • Shoe size
    • Eye and hair color
    • Race, religion
    • Hemisphere you live in (east, west, north, south)
    • Continent you live on
  • Depending upon the site, personal information such as who you are, your hobbies, goals, etc.

The page that accepts the account password must only be accepted by the server when the account is being created in order to prevent an attacker from using the page to set the account password.