# The Open Worldwide Application Security Project [[owasp-top-10|OWASP Top 10]] ## Resources - [The Open Worldwide Application Security Project](https://owasp.org) - [OWASP Top Ten](https://owasp.org/www-project-top-ten/) - Slides from [[secure-software-engineering|SSE]]: [OWASP Top 10 Pt. 1](https://docs.google.com/presentation/d/1kwuxRZERHUKUp04G3APtLN7tDt_v9uCghiDGd7wa33E/) and [OWASP Top 10 Pt. 2](https://docs.google.com/presentation/d/1DhaE0TBi9QKJObsLNzOgia92sPe96q1oKqv2JvFw6lg/) ## OWASP Guidelines for [[password|Password]] [SSE Lecture 7](https://docs.google.com/presentation/d/1Kq4M-fXNslvE3gLnuSj-tblHEZo9tPMzppnD96qFeoU/) - Provide as little information as possible (return **consistent** message for both existent and non-existent accounts). - Use **side channel** for recovery. - User confirms password by **writing it twice**. - Protection against **automated submission** - **Don't use security questions** ## Guidelines to Authentication and Session Management > [!note] Multi-Factory Authentication (MFA) > > - Possession: Something you have. > - Knowledge: Something you know. > - Being: Something you are.