Weak Password Policy
Weak Password Policy
Overview of the Vulnerability
When the password policy for an application is weak, the strength of the overall authentication process for the application is diminished. Not having complexity requirements for passwords, password history checks, or enforcing account lockouts, all weaken the password policy. This application’s weak password policy decreases the time it takes an attacker to successfully guess account passwords through manual or automated processes. This can lead to account take over for accounts with weak passwords set.
Business Impact
Having a weak password policy can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure.
Steps to Reproduce
Use a browser to navigate to: {{URL}}
Attempt to login
Observe that the application allows the use of weak passwords
Proof of Concept (PoC)
The following screenshot shows the weak password policy:
{{screenshot}}
Recommendation(s)
The password policy should be sufficiently robust and contain the following guidelines for users:
Have a minimum password length of eight characters and no maximum limit Require at least three different character types such as, upper and lower case letters, numbers, and special characters. Have a deny list of commonly used words and poor passwords such as, password, password123, the company’s name, or a user’s email address or username. When a user resets their password, they should not be able to use a previous password or increment a previous password in any way. For example, a user should not be able to change their password from Correct-h0rse-1 to Correct-h0rse-2
For more information refer to the following guide relating to this vulnerability: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
Last updated