An attacker can attempt to guess a set of credentials if the NotGuessable defence on the asset is disabled. The likelihood of succeeding in guessing them is based on the SecurityAwareness defence of the User associated with the Identity that uses the Credentials to represent that more security aware people tend to ensure they use stronger credentials, while more oblivious individuals are more careless and their credentials tend to be weaker and easier to guess.
However, this implementation means that if the Credentials are not associated with an Identity and/or the Identity to which the Credentials belong is not associated with a User we lack a SecurityAwareness defence to determine the strength of the credentials.
This pull request improves this behaviour by simply assuming that if the Identity or User in the Credentials -> Identity -> User chain are missing the Credendials are weak. This worst case scenario assumption means that models that want to represent the attacker guessing credentials, but in which the strength of those credentials is not particularly relevant, are simpler to implement.
An attacker can attempt to guess a set of credentials if the
NotGuessabledefence on the asset is disabled. The likelihood of succeeding in guessing them is based on theSecurityAwarenessdefence of theUserassociated with theIdentitythat uses theCredentialsto represent that more security aware people tend to ensure they use stronger credentials, while more oblivious individuals are more careless and their credentials tend to be weaker and easier to guess.However, this implementation means that if the
Credentialsare not associated with anIdentityand/or theIdentityto which theCredentialsbelong is not associated with aUserwe lack aSecurityAwarenessdefence to determine the strength of the credentials.This pull request improves this behaviour by simply assuming that if the
IdentityorUserin theCredentials -> Identity -> Userchain are missing theCredendialsare weak. This worst case scenario assumption means that models that want to represent the attacker guessing credentials, but in which the strength of those credentials is not particularly relevant, are simpler to implement.