n2linux
commented
4 years ago Also reported by a cloud customer in 10301:
Pentester identified the Developer Portal application’s password policy by attempting to
register a new user. The policy required a password to be 6 characters, and no further
restrictions were place. To emphasize the ability for users to create and use weak passwords,
the pentester created accounts with the password set to "password". This password is
considered one of the most commonly chosen passwords. Even with brute-force protection
mechanisms in place, an account with such a password is highly susceptible to compromise.
Supporting evidence is shown below.
NIST’s 800-63 “Authenticator and Verifier Requirements.”
• 2.1.1 Verify that user set passwords are at least 12 characters in length.
• 2.1.2 Verify that passwords 64 characters or longer are permitted.
• 2.1.3 Verify that passwords can contain spaces and truncation is not performed.
Consecutive multiple spaces MAY optionally be coalesced.
• 2.1.4 Verify that Unicode characters are permitted in passwords. A single
Unicode code point is considered a character, so 12 emoji or 64 kanji
characters should be valid and permitted.
• 2.1.7Verify that passwords submitted during account registration, login, and
password change are checked against a set of breached passwords either
locally (such as the top 1,000 or 10,000 most common passwords which
match the system’s password policy) or using an external API. If using an
API a zero knowledge proof or other mechanism should be used to ensure
that the plain text password is not sent or used in verifying the breach
status of the password. If the password is breached, the application
must require the user to set a new non-breached password.
• 2.1.11 Verify that “paste” functionality, browser password helpers,
and external password managers are permitted.
christtyk
Is your feature request related to a problem? Please describe. The Tyk API Gateway does not require users to choose strong passwords. No password complexity is enforced, and the minimum password length is six characters. (Cloud)
Describe the solution you'd like NZISM Password Selection Policy states that the minimum password length should be at least 10 characters, with complexity rules including uppercase and lowercase characters, numbers, and symbols. If complexity is not used then the minimum length should be 16 characters.
Cloud user - from ticket.