Jun 16 Dan Schultzer

Security practices

Some of the below is based on OWASP or NIST SP800-63b recommendations.

User ID

  • The user_id_field value is always treated as case insensitive
  • If the user_id_field is :email, it'll be validated based on RFC 5322 (sections 3.2.3 and 3.4.1) and RFC 5321 with unicode characters permitted in local and domain part

Password

  • The :password has a minimum length of 8 characters
  • The :password has a maximum length of 4096 bytes to prevent DOS attacks against Pbkdf2
  • The :password_hash is generated with PBKDF2-SHA512 with 100,000 iterations

Session management

  • The session value contains a UUID token that is used to pull credentials through a GenServer
  • The credentials are stored in a key-value cache with TTL of 30 minutes
  • The credentials and session are renewed after 15 minutes if any activity is detected
  • The credentials and session are renewed when user updates

Timing attacks

  • If a user couldn't be found or the :password_hash is nil a blank password is used
  • A UUID is always generated during reset password flow
  • Tokens are signed for public consumption and verified before lookup:
    • Session ID in Pow.Plug.Session
    • Persistent session token in PowPersistentSession.Plug.Cookie
    • Reset password token in PowResetPassword.Plug
    • E-mail confirmation token in PowEmailConfirmation.Plug
    • Invitation token in PowInvitation.Plug

User enumeration attacks

  • If authentication fails, a generic The provided login details did not work. Please verify your credentials, and try again. message is returned
  • When password reset is requested with PowResetPassword for an e-mail that doesn't exist, the generic If an account for the provided email exists, an email with reset instructions will be send to you. Please check your inbox. message is returned
  • When attempting to invite a user with PowInvitation using an already taken e-mail, the success message An e-mail with invitation link has been sent. is returned

Enabling PowEmailConfirmation extension will add additional protection:

  • User is redirected with message to confirm their e-mail when they attempt to create a user with already taken e-mail
  • Updating e-mail requires the user to confirm the e-mail address by clicking a link send to them

You can disable the protection by setting pow_prevent_user_enumeration: false in conn.private.

Browser cache

  • The sign in, registration and invitation acceptance page won't be cached by the browser