Identity Management / Weak Password Rules

Description

Weak password rules is a vulnerability in identity management that occurs when a system allows users to set weak passwords, such as those that are too short or do not contain the required complexity. This vulnerability has been assigned the Common Weakness Enumeration (CWE) ID 521. The Open Web Application Security Project (OWASP) Testing Guide specifies how to test for weak password policies (WSTG-ATHN-07).

Risk

Weak password rules can allow malicious actors to gain unauthorized access to a system. In addition, if the passwords are stored in an insecure manner, the attacker can easily obtain the passwords. This can lead to a significant data breach, which can have serious financial and reputational consequences for the organization.

Solution

Organizations should implement strong password policies for their users. This should include a minimum password length, a combination of upper and lower case letters, numbers, and special characters, and a limit on the number of incorrect attempts. Previously leaked passwords, or passwords included in public wordlists, should not be allowed. Additionally, passwords should not be stored in plain text. Instead, secure password verifiers (e.g. generated by a secure password hashing function) should be stored.

Example

Below is an example of a weak password policy taken from the CVE directory. This code will allow a user to set a password with a length of six or fewer characters:

if (password.length() <= 6) {
    throw new Exception("The password must be at least 6 characters long!");
}