-
Book Overview & Buying
-
Table Of Contents
-
Feedback & Rating

Threat Modeling Gameplay with EoP
By :

An attacker could go after the way credentials are updated or recovered (account recovery doesn’t require disclosing the old password).
Threat |
|
|
If the reset asks questions such as what your mother’s maiden name is, or whether you or your parents are famous, this information may be in the public domain, so they can use this to reset your password to what they want. Alternatively, if your family tree is online, then it is equally likely that an attacker could find this information. |
CAPEC |
CAPEC-50 - Password Recovery Exploitation |
ASVS |
2.1.6 - Ensure both the new and current password are required to change password 2.2.3 - Verify notifications sent for password changes 2.5.2 - Verify password hints or security questions aren’... |
Change the font size
Change margin width
Change background colour