Added Paralle PDKF2 in #1043 and Login Throttling in #892 (#1070)

* Added Parallel PKDF2 and resolved lint issues * Added Login Throttling icluding subheading as Account Lockout * Update cheatsheets/Authentication_Cheat_Sheet.md Made Account Lockout as a new subheading Co-authored-by: Shlomo Zalman Heigh <[email protected]> --------- Co-authored-by: Suyash Srivastava <[email protected]> Co-authored-by: Shlomo Zalman Heigh <[email protected]>
OWASP · Jan 29, 2023 · d1cc154 · d1cc154
1 parent 6b73212
commit d1cc154
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/cheatsheets/Authentication_Cheat_Sheet.md b/cheatsheets/Authentication_Cheat_Sheet.md
@@ -209,7 +209,13 @@ Multi-factor authentication (MFA) is by far the best defence against the majorit
 
 The [Multifactor Authentication Cheat Sheet](Multifactor_Authentication_Cheat_Sheet.md) contains further guidance on implementing MFA.
 
-#### Account Lockout
+#### Login Throttling
+
+Login Throttling is a protocol used to prevent an attacker from making too many attempts at guessing a password through normal interactive means, it includes:
+
+- Maximum number of attempts.
+
+##### Account Lockout
 
 The most common protection against these attacks is to implement account lockout, which prevents any more login attempts for a period after a certain number of failed logins.
 
@@ -221,6 +227,8 @@ The counter of failed logins should be associated with the account itself, rathe
 
 Rather than implementing a fixed lockout duration (e.g., ten minutes), some applications use an exponential lockout, where the lockout duration starts as a very short period (e.g., one second), but doubles after each failed login attempt.
 
+- Amount of time to delay after each account lockout (max 2-3, after that permanent account lockout).
+
 When designing an account lockout system, care must be taken to prevent it from being used to cause a denial of service by locking out other users' accounts. One way this could be performed is to allow the user of the forgotten password functionality to log in, even if the account is locked out.
 
 #### CAPTCHA

diff --git a/cheatsheets/Password_Storage_Cheat_Sheet.md b/cheatsheets/Password_Storage_Cheat_Sheet.md
@@ -145,6 +145,12 @@ The work factor for PBKDF2 is implemented through an iteration count, which shou
 - PBKDF2-HMAC-SHA256: 600,000 iterations
 - PBKDF2-HMAC-SHA512: 210,000 iterations
 
+### Parallel PBKDF2
+
+- PPBKDF2-SHA512: cost 2
+- PPBKDF2-SHA256: cost 5
+- PPBKDF2-SHA1: cost 10
+
 These configuration settings are equivalent in the defense they provide. ([Number as of december 2022, based on testing of RTX 4000 GPUs](https://tobtu.com/minimum-password-settings/))
 
 #### PBKDF2 Pre-hashing