Weak credential policy - Temporary passwords
Need
To prevent unauthorized account access due to weak temporary passwords, which can be easily compromised.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Comeonin package for password hashing
Description
Non compliant code
defmodule MyAppWeb.UserController do
use MyAppWeb, :controller
def create_temporary_password(conn, %{"username" => username}) do
temporary_password = "password123"
hashed_password = Comeonin.Bcrypt.hashpwsalt(temporary_password)
# ... rest of the code
end
end
In this insecure code, the application assigns a static, weak temporary password for all users who request it. This can lead to an attacker easily guessing the temporary password.
Steps
- Generate a strong, random temporary password for each user request.
- The temporary password should be a certain length, contain a mix of uppercase and lowercase letters, numbers, and special characters.
- The temporary password should be unique for each request.
Compliant code
defmodule MyAppWeb.UserController do
use MyAppWeb, :controller
def create_temporary_password(conn, %{"username" => username}) do
temporary_password = :crypto.strong_rand_bytes(12) |> Base.encode64 |> binary_part(0, 12)
hashed_password = Comeonin.Bcrypt.hashpwsalt(temporary_password)
# ... rest of the code
end
end
In the secure code, the application generates a strong, random temporary password for each user request. This prevents an attacker from easily guessing the temporary password.