The Guardian is an innovative open-source platform that streamlines the creation, management, and verification of digital environmental assets. It leverages a customizable Policy Workflow Engine and Web3 technology to ensure transparent and fraud-proof operations, making it a key tool for transforming sustainability practices and carbon markets.
An attacker may guess insecure user passwords or brute-force weak user passwords, especially in the event of a password database breach.
Description
The Guardian web application did not enforce any sort of password policy on its users by default. This allowed new issues to create accounts with passwords such as 1 or even blank passwords. The default configuration of the guardian application allowed users to create new accounts with any passwords restrictions.
If a user does use a weak password, an attacker could guess their password and gain access to their account. Alternatively, in the event of a password database breach, an attacker is more likely to recover a weak password from a brute-force attack.
Recommendation
It is recommended to create a password policy, that can be configured by the organizations using the application. It should also be noted that recent guidance from NCSC promotes password policies which are designed to decrease the burden on the user. This can include relaxing controls requiring users to change their passwords at regular intervals in favor of the use of suitably complex passwords. The NCSC password guidance21 should be reviewed to determine if this new guidance can be applied to the environment reviewed.
Impact
An attacker may guess insecure user passwords or brute-force weak user passwords, especially in the event of a password database breach.
Description
The Guardian web application did not enforce any sort of password policy on its users by default. This allowed new issues to create accounts with passwords such as 1 or even blank passwords. The default configuration of the guardian application allowed users to create new accounts with any passwords restrictions. If a user does use a weak password, an attacker could guess their password and gain access to their account. Alternatively, in the event of a password database breach, an attacker is more likely to recover a weak password from a brute-force attack.
Recommendation
It is recommended to create a password policy, that can be configured by the organizations using the application. It should also be noted that recent guidance from NCSC promotes password policies which are designed to decrease the burden on the user. This can include relaxing controls requiring users to change their passwords at regular intervals in favor of the use of suitably complex passwords. The NCSC password guidance21 should be reviewed to determine if this new guidance can be applied to the environment reviewed.
Location
Guardian Web Application