Weak credential policy - Temporary passwords
Need
To prevent unauthorized account access due to weak temporary passwords, which can be easily compromised.
Context
• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Comeonin package for password hashing
Description
1. Non compliant code
defmodule MyAppWeb.UserController do
  use MyAppWeb, :controller
  def create_temporary_password(conn, %{"username" => username}) do
    temporary_password = "password123"
    hashed_password = Comeonin.Bcrypt.hashpwsalt(temporary_password)
    # ... rest of the code
end...In this insecure code, the application assigns a static, weak temporary password for all users who request it. This can lead to an attacker easily guessing the temporary password.
2. Steps
• Generate a strong, random temporary password for each user request.
• The temporary password should be a certain length, contain a mix of uppercase and lowercase letters, numbers, and special characters.
• The temporary password should be unique for each request.
3. Secure code example
defmodule MyAppWeb.UserController do
  use MyAppWeb, :controller
  def create_temporary_password(conn, %{"username" => username}) do
    temporary_password = :crypto.strong_rand_bytes(12) |> Base.encode64 |> binary_part(0, 12)
    hashed_password = Comeonin.Bcrypt.hashpwsalt(temporary_password)
    # ... rest of the code
end...In the secure code, the application generates a strong, random temporary password for each user request. This prevents an attacker from easily guessing the temporary password.