Weak credential policy - Temporary passwords
Need
Implementation of a strong credential policy for temporary passwords
Context
- Usage of Java 8 for developing applications with enhanced features and performance
- Usage of javax.servlet for building Java web applications with Servlet technology
- Usage of javax.servlet.http for handling HTTP requests and responses in Java Servlets
- Usage of java.io for input and output operations in Java
Description
Non compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;
public class PasswordServlet extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String tempPassword = "password123";
// Code to set the temporary password for the user
// ....
}
}
In the above code, we are setting a temporary password for a user. The doPost method is handling a POST request where we get the username from the request parameters. Then, we are setting the temporary password as "password123".
This code is vulnerable due to its weak credential policy. The temporary password is not strong enough, it's a common password and can be easily guessed or brute forced by attackers. This can lead to unauthorized access to user accounts.
The password is also hardcoded which is a bad practice. If the source code is leaked or accessible, the password is exposed.
Moreover, there's no mechanism to force the user to change the temporary password after the first login. This means that if the user does not change this password, the account remains with the weak password indefinitely.
This is a serious security vulnerability and can lead to potential data breaches.
In a secure system, temporary passwords should be strong, unique, and must be changed after the first login. They should not be hardcoded into the application.
Steps
- Implement a strong password policy for temporary passwords
- Generate temporary passwords using a secure random number generator
- Enforce a minimum password length for temporary passwords
- Require a combination of uppercase letters, lowercase letters, numbers, and special characters in temporary passwords
- Implement password expiration for temporary passwords
- Store temporary passwords securely, such as using strong encryption
- Implement measures to prevent brute-force attacks on temporary passwords
Compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.Random;
public class PasswordServlet extends HttpServlet {
private static final String CHAR_LOWER = "abcdefghijklmnopqrstuvwxyz";
private static final String CHAR_UPPER = CHAR_LOWER.toUpperCase();
private static final String NUMBER = "0123456789";
private static final String OTHER_CHAR = "!@#$%&*()_+-=[]?";
private static final String PASSWORD_ALLOW_BASE = CHAR_LOWER + CHAR_UPPER + NUMBER + OTHER_CHAR;
private static SecureRandom random = new SecureRandom();
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String tempPassword = generateRandomPassword(10);
// Code to set the temporary password for the user
// ....
}
public static String generateRandomPassword(int length) {
if (length < 1) throw new IllegalArgumentException();
StringBuilder sb = new StringBuilder(length);
for (int i = 0; i < length; i++) {
int rndCharAt = random.nextInt(PASSWORD_ALLOW_BASE.length());
char rndChar = PASSWORD_ALLOW_BASE.charAt(rndCharAt);
sb.append(rndChar);
}
return sb.toString();
}
}
The updated code includes a method to generate a random password with a specified length. The generateRandomPassword method uses a SecureRandom object to generate a random password. The password includes a combination of lowercase letters, uppercase letters, numbers, and special characters.
The doPost method now calls generateRandomPassword to create a temporary password for the user. This password is more secure than the previous hard-coded password.
This code does not include password expiration or measures to prevent brute-force attacks. These features would typically be implemented server-side, not within the servlet itself.
The temporary password should be stored securely, such as using strong encryption. This is not shown in the code, as it would typically be handled by the code that sets the user's password.
This code also does not include a check for minimum password length. The generateRandomPassword method throws an IllegalArgumentException if the specified length is less than 1, but you may want to enforce a longer minimum length.