Authentication: enable modules to enhance authentication
Enable and configure modules as required:
-
https://www.drupal.org/project/password_policy (See #10) -
https://www.drupal.org/project/login_security -
https://www.drupal.org/project/flood_control -
https://www.drupal.org/project/autologout -
https://www.drupal.org/project/session_limit -
https://www.drupal.org/project/tfa -
https://www.drupal.org/project/username_enumeration_prevention
Ref:
- OWASP: Authentication cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
- OWASP: Pen test: WSTG-ATHN-03: Testing for Weak Lock Out Mechanism: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism
- OWASP: Pen test: WSTG-ATHN-07: Testing for Weak Password Policy: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy
- OWASP: Pen test: WSTG-ATHN-09: Testing for Weak Password Change or Reset Functionalities: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities
Edited by Janna