Security Risk(s): During testing we identified that application does not require that users have strong passwords, which makes it easier for attackers to compromise user accounts. The application only enforces a minimum of six characters password.
Cause(s): Lack of Enforcement Controls.
Remediation(s): An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.
A password strength policy should contain the following attributes:
At least 14 characters long; more than 14 characters is better
Different from the default (initial) password
Not be the same as the username.
Composed of at least three of the following character classes:
upper case letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
lower case letters abcdefghijklmnopqrstuvwxy
numbers 0123456789
punctuation marks:@#$%^&*()+=`{}[]:";'< >?,./) e.)
Not be based on any personal information that is easily available to potential adversaries, such as names of family members, pets, friends, co-workers, birthdays, addresses, phone numbers etc.
Not be based on a word found in dictionaries of any language or based on simple patterns such as aaabbb, qwerty, etc
FROM UN security assesment:
Security Risk(s): During testing we identified that application does not require that users have strong passwords, which makes it easier for attackers to compromise user accounts. The application only enforces a minimum of six characters password.
Cause(s): Lack of Enforcement Controls.
Remediation(s): An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.
A password strength policy should contain the following attributes: