securingdev
commented
7 years ago Great feedback - and I agree, password complexity does need to be increased as functionality grows for the site.
At this time, there are steps taken to mitigate brute-force attempts against the site. Would definitely welcome some assistance with this!
vot3k
Background: First time account setup still accepts "password" as a password, showing few controls have been implemented on password security. Demonstrated Thursday March 9, 2017 by creating a new account. Suggested Remedy: Define minimum requirements for password complexity at registration. This should include rules such as requiring at least one letter, number, and special character. New password policy needs to be resistant to freely-available tools and methods for password guessing (ex: dictionary attack), along with a retry limit to further restrict unauthorized access. A footnote should be added below the password section at signup indicating minimum requirements. Long Term Considerations: As membership expands and the information contained on the site becomes more diverse, further login security enhancements and options for multifactor authentication reflecting NIST recommendations should be implemented.