Insecure Password Policy

[sveeke]

The Openbadge application does not use a secure password policy.

[sveeke]

threatLevel="Elevated" type="Password Policy"

The Openbadge application does not use a secure password policy. The following issuer were found:

• When changing an users password, the old password is not required.
• The password policy is not enforced. According what is written on the password change page a password must contain at least 6 characters. However a password with 4 characters was accepted.
• Weak passwords are accepted. For instance "1234" or "test123"
• The re-use of passwords is allowed.
• When creating a new account a weak password with less than 6 characters could be used as there is no serverside check in place. The latter only checks on the client-side.

Impact: With a successful bruteforce or password guessing attack an attacker could gain access to a users information which would lead to confidentiality and integrity issues.

Recommendation:

• Only allow the user to change their password when a valid current password has been supplied.
• Use a password with the minimum of 8 characters that should be a combination of alphanumeric and special characters.
• Implement and enforce Two-factor-authenticaiton for high privileged accounts.
• Don't accept the use of weak and common used password.
• Don't allow re-use of passwords.