No Password Policy
No Password Policy
Overview of the Vulnerability
When there is no password policy set, the strength of the overall authentication process for an application is diminished. No password policy is present within this web application, allowing for weak passwords to be used by any user, including Administrator accounts. This makes it relatively easy for an attacker to use password spraying or brute forcing methods to guess users passwords, with minimal effort required to compromise multiple users’ accounts.
Business Impact
Having no password policy can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure.
Steps to Reproduce
Use a browser to navigate to: {{URL}}
Attempt to login
Observe that the application allows the use of weak passwords, such as
a
Proof of Concept (PoC)
The following screenshot shows that there is no password policy:
{{screenshot}}
Recommendation(s)
A password policy should be set and be sufficiently robust, containing the following guidelines for users:
Have a minimum password length of eight characters and no maximum limit Require at least three different character types such as, upper and lower case letters, numbers, and special characters. Have a deny list of commonly used words and poor passwords such as, password, password123, the company’s name, or a user’s email address or username. When a user resets their password, they should not be able to use a previous password or increment a previous password in any way. For example, a user should not be able to change their password from Correct-h0rse-1 to Correct-h0rse-2
For more information refer to the following guide relating to this vulnerability: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
Last updated