Authentication / Weak Password Change or Reset Functionalities

Description

Weak Password Change or Reset Functionalities is an authentication vulnerability (CWE-259) that affects web and API applications. It occurs when there are no restrictions on the strength of passwords that can be set or reset. As a result, users are allowed to set weak passwords, increasing the risk of unauthorized access to the application. This vulnerability can be found in the OWASP Testing Guide as part of the Authentication Testing section.

Risk

Weak Password Change or Reset Functionalities is a high risk vulnerability because it can allow attackers to gain access to an application with weak passwords. This can lead to data theft, manipulation of data, or unauthorized access to resources. To assess the risk of this vulnerability, it is important to consider the sensitivity of the data stored and the resources available in the application.

Solution

To fix the Weak Password Change or Reset Functionalities vulnerability, it is important to ensure that any passwords set or reset must meet a certain strength requirement. This can be done by enforcing a minimum character length and requiring the use of at least one uppercase letter, one lowercase letter, one number, and one special character. Additionally, it is important to ensure that the same password is not reused, and that users are not allowed to set the same password as their username.

Example

The following example uses a regular expression to check if a new password meets the strength requirements. The regular expression checks for at least one lowercase letter, one uppercase letter, one number, and one special character.

import re

new_password = 'P@ssword123'

if re.match("^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*#?&])[A-Za-z\d@$!#%*?&]{8,}$", new_password):
    print("Valid Password")
else:
    print("Invalid Password")