ryanpaulfyfe
commented
6 years ago Thanks for the report, Our team is looking into this!
Open jatoch opened 6 years ago
ryanpaulfyfe
commented
6 years ago Thanks for the report, Our team is looking into this!
Steps to reproduce:
1: Go to https://workchain.io/registration 2: Fill in all the details and set the password to 123456 3: Create your your account.
Impact: An attacker can easily guess user passwords, or use an dictionairy attack.
Reference: https://cwe.mitre.org/data/definitions/521.html
Potential migitations: Enforce usage of strong passwords. A password strength policy should contain the following attributes: 1: Minimum and maximum length; 2: Require mixed character sets (alpha, numeric, special, mixed case); 3: Do not contain user name; 4: Expiration; 5: No password reuse.