Skip to main content

Weak credential policy - Password strength

Description

The credential policy present in the system does not have the recommended parameters.

Impact

Allow users to assign weak passwords to their accounts, which can later be easily found by an attacker through brute force or dictionary attacks.

Recommendation

Establish a policy for credential creation that involves phrases and not word-based passwords.

Threat

Attacker with an account creation invitation from the Internet.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The resource has strong secure password configuration settings

Resources:
MySecret1:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: MySecretForAppA
Description: "This secret has a dynamically generated secret password."
GenerateSecretString:
SecretStringTemplate: '{"username": "test-user"}'
GenerateStringKey: "password"
PasswordLength: 16
ExcludeCharacters: '"@/\'
ExcludeLowercase: false
ExcludeNumbers: false
ExcludePunctuation: false
ExcludeUppercase: false
IncludeSpace: false
RequireEachIncludedType: true
MySecret2:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: MySecretForAppA
Description: "This secret has a dynamically generated secret password."

Non compliant code

The resource has a weak password configuration settings

Resources:
MySecret1:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: MySecretForAppA
Description: "This secret has a dynamically generated secret password."
GenerateSecretString:
SecretStringTemplate: '{"username": "test-user"}'
GenerateStringKey: "password"
PasswordLength: 12
ExcludeCharacters: '"@/\'
ExcludeLowercase: true
ExcludeNumbers: false
ExcludePunctuation: true
ExcludeUppercase: false
IncludeSpace: true
RequireEachIncludedType: false
MySecret2:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: MySecretForAppA
Description: "This secret has a dynamically generated secret password."

Using the AWS CLI, the following command returns the password policy for the AWS Account

$ aws iam get-account-password-policy

The return policy has the following structure:

{
"PasswordPolicy": {
"AllowUsersToChangePassword": true,
"RequireLowercaseCharacters": false,
"RequireUppercaseCharacters": false,
"MinimumPasswordLength": 8,
"RequireNumbers": false,
"RequireSymbols": false,
"HardExpiry": false,
"ExpirePasswords": false
}
}

If the password policy does not comply with strong configuration settings, the policy is insecure

Requirements