Skip to main content

Weak credential policy

Description

The systems credential policy is not compliant with security regulations.

Impact

Increase the chances of getting valid credentials using brute force or dictionary attacks.

Recommendation

Establish a policy for creation of credentials that uses phrases, not word based passwords.

Threat

Anonymous user from the Internet.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: U
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:U/RC:C
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Perform strict standards of password configuration requirements

public class Startup {
public void start(IServiceCollection services) {
services.Configure<IdentityOptions>( options => {
options.Password.RequireDigit = true;
options.Password.RequireDigit = true;
options.Password.RequiredLength = 16;
options.Password.RequireNonAlphanumeric = true;
options.Password.RequireUppercase = true;
options.Password.RequireLowercase = true;
options.Password.RequiredUniqueChars = 10;
});
}
}

Non compliant code

Insecure method that allows any type of credentials to be used

namespace Controllers {
public class DBaccess {
public void dbauth() {
DbContextOptionsBuilder optionsBuilder = new DbContextOptionsBuilder();
con_str = "Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password=";
optionsBuilder.UseSqlServer(con_str);

DbContextOptionsBuilder optionsBuilder2 = new DbContextOptionsBuilder();
optionsBuilder2.UseSqlServer("Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password=");
}
}
}

Example with insecure password configuration requirements

public class Startup {
public void start(IServiceCollection services) {
services.Configure<IdentityOptions>( options => {
options.Password.RequireDigit = true;
options.Password.RequireDigit = false;
options.Password.RequiredLength = 8;
options.Password.RequireNonAlphanumeric = true;
options.Password.RequireUppercase = true;
options.Password.RequireLowercase = true;
options.Password.RequiredUniqueChars = 5;
});
}
}

Requirements