Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

issue #1520 Updated authentication.md #1570

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions Dockerfile
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like the fact that this Dockerfile is being changed under the PR that is associated with issue #1520 which has nothing to do with this, so we need a new GitHub issue created to deal with whatever this is trying to deal with.

Original file line number Diff line number Diff line change
@@ -1,9 +1,33 @@
# FROM python:latest
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really? What's the point of inserting this all as comments when it almost 100% matches the actual executable docker statements below (aside what was added in lines 24-30)? If anyone wants to know what it previously looked like, that's what Git history is for. Eventually this will only lead to confusion since the comments and the docker statements are not in sync.

# WORKDIR /usr/src/app
# COPY . .

# EXPOSE 8000

# RUN apt-get update && apt-get install -y \
# build-essential \
# python3-pip \
# && pip3 install mkdocs


# RUN make install-python-requirements
# RUN make generate-site
# ENTRYPOINT ["make", "serve"]

##
FROM python:latest
WORKDIR /usr/src/app
COPY . .

EXPOSE 8000

RUN apt-get update && apt-get install -y \
build-essential \
python3-pip \
dos2unix \
&& pip3 install mkdocs

RUN dos2unix scripts/Generate_Site_mkDocs.sh
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay. I do not like this. If someone using Windows previously edited a bash script so it ended up with \r\n as EOL terminators rather than just \n and broke the script, the better way to deal with this is to create an issue for the particular script and just fix the script. This is a kludge, and if we start using this, we may eventually find ourselves having to do this for all the bash scripts under 'scripts'.

Furthermore, if this is becoming a problem, a better way to address it is to have contributors set the 'core.input' attribute in their .gitconfig file. In ESAPI, we mention this:

Finally, we recommend setting the git property 'core.autocrlf' to 'input' in your $HOME/.gitconfig file; e.g., that file should contain something like this:

[core]
    autocrlf = input

and since people have been using that, we haven't had that problem. (And, if they ignore that and persist on messing up bash scripts by using \r\n for EOL terminators, we force them to program for 3 months while wearing mittens.)

So, of course, if we don't execute dos2unix, we don't need to install it either line 27 so it can be removed from there as well.

RUN make install-python-requirements
RUN make generate-site
ENTRYPOINT ["make", "serve"]
4 changes: 3 additions & 1 deletion cheatsheets/Authentication_Cheat_Sheet.md
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I''m fine with these changes. I don't know if we actually want a blank line to start this .md file, but if it's consistent with the other CS pages, it's fine. (I'm just too lazy to check right now.) As for the content changes, it LGTM.

Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@

# Authentication Cheat Sheet

## Introduction
Expand Down Expand Up @@ -36,7 +37,8 @@ A key concern when using passwords for authentication is password strength. A "s
- **Maximum** password length should be **at least 64 characters** to allow passphrases ([NIST SP800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)). Note that certain implementations of hashing algorithms may cause [long password denial of service](https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/).
- Do not silently truncate passwords. The [Password Storage Cheat Sheet](Password_Storage_Cheat_Sheet.md#maximum-password-lengths) provides further guidance on how to handle passwords that are longer than the maximum length.
- Allow usage of **all** characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.
- Ensure credential rotation when a password leak occurs, or at the time of compromise identification.
- Avoid requiring periodic password changes; instead, encourage users to pick strong passwords and enable **Multi-Factor Authentication (MFA)**. Consider password rotation only in case of compromise or when authenticator technology is changed.
According to [NIST guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html), verifiers should not mandate arbitrary password changes (e.g., periodically).
- Include a password strength meter to help users create a more complex password and block common and previously breached passwords
- [zxcvbn-ts library](https://github.com/zxcvbn-ts/zxcvbn) can be used for this purpose.
- [Pwned Passwords](https://haveibeenpwned.com/Passwords) is a service where passwords can be checked against previously breached passwords. You can host it yourself or use the [API](https://haveibeenpwned.com/API/v3#PwnedPasswords).
Expand Down