User Credentials Handling Not Clearly Disclosed in Privacy Policy

User Credentials Handling Not Clearly Disclosed in Privacy Policy

Risk: medium

Description

The application processes user credentials, but the privacy policy does not clearly describe how this sensitive information is protected and managed. Proper handling of credentials is vital for account security, and lack of clarity in the policy can obscure important security practices.

Recommendation

Update your application's privacy policy to clearly explain how user credentials and authentication-related data are handled. Specify the security measures in place to protect this information, such as password hashing and salting, secure storage of tokens, and use of HTTPS.

Links

• OWASP Application Security Verification Standard (ASVS) - V2 Authentication
• NIST Special Publication 800-63B - Digital Identity Guidelines
• GDPR Article 32 - Security of Processing
• CWE-257: Storing Passwords in a Recoverable Format

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_12
  • ART_13
  • ART_25
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
  • CC_6_2
• CNIL_FOR_EDITORS:
  • EDITORS_3_1_1
  • EDITORS_4_1_1