Skip to main content

Cracked weak credentials


Enhancement of password security


  • Usage of Python 3 for scripting and software development
  • Usage of Django for building web applications in Python


Non compliant code

from django.contrib.auth.models import User

def create_user(username, password):
user = User.objects.create_user(username, password=password)

This is a simple function that creates a user in a Django application using the Django's built-in User model. A username and password are passed to the function, which are then used to create a new user.

The vulnerability here lies in the fact that the password is stored as a hash in the database. Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism that is considered secure. However, the complexity of the hash is directly proportional to the complexity of the password. If a user chooses a weak password, the resulting hash will also be weak, making it easier for an attacker to crack.

In other words, the function does not enforce any password complexity requirements. A user could choose a password like "password123", which would result in a weak hash that could be easily cracked by an attacker. This is a common vulnerability in many web applications and can lead to unauthorized access to user accounts.


  • Increase the complexity of the password requirements. This could include a minimum length, requiring a mix of uppercase and lowercase letters, numbers, and special characters.
  • Implement a password strength meter to give users feedback about the strength of their password during account creation or password change.
  • Use a strong, unique salt for each password. Salting adds an extra layer of security to the hashing process.
  • Use a slow hash function like bcrypt, scrypt or Argon2. These are designed to be slow and computationally demanding, which makes brute force or dictionary attacks less effective.
  • Limit the number of login attempts to prevent brute force attacks.
  • Implement multi-factor authentication. This adds an additional layer of security as it requires users to verify their identity using a second factor (like a phone or hardware token) in addition to their password.
  • Regularly update and patch your systems to protect against known vulnerabilities.

Compliant code

from django.contrib.auth.models import User
from django.contrib.auth.hashers import make_password
import re

def validate_password(password):
# check for minimum length
if len(password) < 8:
return False
# check for uppercase letter
if not"[A-Z]", password):
return False
# check for lowercase letter
if not"[a-z]", password):
return False
# check for digit
if not"[0-9]", password):
return False
# check for special characters
if not"[!@#$%^&*()]", password):
return False
return True

def create_user(username, password):
if not validate_password(password):
raise ValueError("Password does not meet complexity requirements")
hashed_password = make_password(password)
user = User.objects.create_user(username, password=hashed_password)

The updated code includes a function validate_password that checks the complexity of the password. It ensures that the password is at least 8 characters long and includes at least one uppercase letter, one lowercase letter, one digit, and one special character.

In the create_user function, before creating a user, it validates the password using the validate_password function. If the password does not meet the complexity requirements, it raises a ValueError.

The password is then hashed using Django's make_password function before being stored in the database. This function uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism that is recommended by NIST. It also automatically handles the creation of a random salt for each password.

This code does not include measures to limit login attempts or implement multi-factor authentication. These would need to be implemented elsewhere in your application. Regular system updates and patches are also crucial to maintain security.