Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-13981

[Web] - Weak Password Policy



    • 3
    • Horizon 22 - Jul 7 - Jul 21
    • NB



      The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

      An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.

      Browser URL


      Steps To Reproduce

      • Enter a weak password (i.e "12345", "11111",) in the change password page.
      • Observe that the application accepts weak/easily guessable passwords during password change.
      • Now the user is able to log in using the weak password in the Web Applications/API.

      Suggested Fix

      1. Allow all characters to be used for passwords to avoid shortening the key space for brute-force guessing.
      2. Do not impose character restrictions such as "must have at least X number of specific character type" in the password. This will shorten the key space for brute-force guessing.
      3. Disallow short password lengths. 12 characters is generally considered a good minimum password length.
      4. Allow for a large maximum password length. The typical maximum length is 128 characters. It is important to set a maximum password length to prevent long password Denial of Service attacks.
      5. Do not advertise the maximum password length as this will shorten the key space for brute-force guessing.
      6. Disallow previous passwords from being used.
      7. Disallow the password being the same as the email or username.
      8. Avoid allowing users to set guessable passwords and ensure that at-least one lower case, one uppercase, one special character and one numeric values are used.
      9. The maximum password length should not be set too low, as it will prevent users from creating passphrase.
      10. Include password strength meter to help users create a more complex password and block common and previously breached passwords.
      11. Pwned Passwords(https://haveibeenpwned.com/Passwords) is a service where passwords can be checked against previously breached passwords. You can host it yourself or use API(https://haveibeenpwned.com/API/v2#PwnedPasswords).
      12. Check the password complexity in https://www.passwordmonster.com/.

      Cobalt URL





            lschreiber Lars Schreiber
            cobalt Cobalt IO
            0 Vote for this issue
            5 Start watching this issue