Look-up Secret Verifier

V2.6.1

Verify that lookup secrets can be used only once.

Level 1 required: False

Level 2 required: True

Level 3 required: True

CWE: 308

V2.6.2

Verify that lookup secrets have sufficient randomness (112 bits of entropy), or if less than 112 bits of entropy, salted with a unique and random 32-bit salt and hashed with an approved one-way hash.

Level 1 required: False

Level 2 required: True

Level 3 required: True

CWE: 330

V2.6.3

Verify that lookup secrets are resistant to offline attacks, such as predictable values.

Level 1 required: False

Level 2 required: True

Level 3 required: True

CWE: 310

Disclaimer:

Credit via OWASP ASVS. For more information visit The OWASP ASVS Project or Github respository.. OWASP ASVS is under the Creative Commons Attribution-Share Alike v3.0 license.

View source on GitHub