Cracked weak credentials
Need
Enhancement of password security
Context
• Usage of Python 3 for scripting and software development
• Usage of Django for building web applications in Python
Description
1. Non compliant code
from django.contrib.auth.models import User
def create_user(username, password):
user = User.objects.create_user(username, password=password)
user.save()This is a simple function that creates a user in a Django application using the Django's built-in `User` model. A username and password are passed to the function, which are then used to create a new user. The vulnerability here lies in the fact that the password is stored as a hash in the database. Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism that is considered secure. However, the complexity of the hash is directly proportional to the complexity of the password. If a user chooses a weak password, the resulting hash will also be weak, making it easier for an attacker to crack. In other words, the function does not enforce any password complexity requirements. A user could choose a password like "password123", which would result in a weak hash that could be easily cracked by an attacker. This is a common vulnerability in many web applications and can lead to unauthorized access to user accounts.
2. Steps
• Increase the complexity of the password requirements. This could include a minimum length, requiring a mix of uppercase and lowercase letters, numbers, and special characters.
• Implement a password strength meter to give users feedback about the strength of their password during account creation or password change.
• Use a strong, unique salt for each password. Salting adds an extra layer of security to the hashing process.
• Use a slow hash function like bcrypt, scrypt or Argon2. These are designed to be slow and computationally demanding, which makes brute force or dictionary attacks less effective.
• Limit the number of login attempts to prevent brute force attacks.
• Implement multi-factor authentication. This adds an additional layer of security as it requires users to verify their identity using a second factor (like a phone or hardware token) in addition to their password.
• Regularly update and patch your systems to protect against known vulnerabilities.
3. Secure code example
from django.contrib.auth.models import User
from django.contrib.auth.hashers import make_password
import re
def validate_password(password):
# check for minimum length
if len(password) < 8:
# check for uppercase letter...The updated code includes a function `validate_password` that checks the complexity of the password. It ensures that the password is at least 8 characters long and includes at least one uppercase letter, one lowercase letter, one digit, and one special character. In the `create_user` function, before creating a user, it validates the password using the `validate_password` function. If the password does not meet the complexity requirements, it raises a ValueError. The password is then hashed using Django's `make_password` function before being stored in the database. This function uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism that is recommended by NIST. It also automatically handles the creation of a random salt for each password. This code does not include measures to limit login attempts or implement multi-factor authentication. These would need to be implemented elsewhere in your application. Regular system updates and patches are also crucial to maintain security.
References
• 051. Cracked weak credentials