logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Weak credential policy - Temporary passwords - Ruby

Need

Enhancement of temporary password security policies

Context

  1. Usage of Ruby 2.7 for developing Ruby applications
  2. Usage of Rails for building web applications

Description

Insecure Code Example

class UsersController < ApplicationController
  def reset_password
    @user = User.find(params[:id])
    @user.password = 'password123'
    @user.save!
    redirect_to @user
  end
end

The vulnerable code above is a `reset_password` method in the `UsersController` class. The method is responsible for resetting user's passwords. However, the vulnerability lies in the fact that the new password is a hardcoded string 'password123' which is weak and does not follow any strong password policy. In this scenario, when a user requests for a password reset, the system assigns a weak, easily guessable password 'password123' to the user's account. This makes the user's account highly susceptible to brute force attacks as the attacker can easily guess the password. Moreover, the same temporary password is assigned to every user who requests a password reset, which means if an attacker compromises one account, they can potentially access any other account that has had its password reset. In addition, there is no mechanism in place to force the user to change this temporary password immediately after logging in, which means the user might continue using this weak password, further increasing the risk of their account being compromised.

Steps

  1. Implement a strong password policy that enforces complexity requirements such as minimum length, use of uppercase and lowercase letters, numbers, and special characters.
  2. Generate a random and secure temporary password instead of using a static password like 'password123'.
  3. Ensure that the temporary password is only valid for a limited period of time and expires after a certain duration.
  4. Encrypt the temporary password before storing it in the database to protect it from unauthorized access.
  5. Implement a secure password reset mechanism that requires additional verification steps, such as sending a verification email or using multi-factor authentication.
  6. Log all password reset activities for auditing purposes.
  7. Regularly review and update the password policy to adapt to evolving security threats and best practices.

Secure Code Example

class UsersController < ApplicationController
  require 'securerandom'

  def reset_password
    @user = User.find(params[:id])
    @user.password = generate_temp_password
    @user.password_reset_sent_at = Time.zone.now
    @user.save!
    # Send password reset email
    UserMailer.password_reset(@user).deliver_now
    redirect_to @user
  end

  private

  def generate_temp_password
    SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz')
  end
end

The updated code now includes a method `generate_temp_password` that generates a random, secure temporary password using the `SecureRandom.base64` method. This method generates a random string of the specified length, in this case 15 characters. The `tr` method is used to replace certain characters that might be confusing in a password ('+/=lIO0') with others ('pqrsxyz'). The temporary password is then assigned to the user's password field. The time at which the password reset was sent is also recorded in a `password_reset_sent_at` field. This can be used to implement a policy where the temporary password expires after a certain duration. After the user's password and `password_reset_sent_at` fields are updated, the changes are saved to the database using the `save!` method. Finally, a password reset email is sent to the user using a hypothetical `UserMailer.password_reset` method. This method would need to be implemented in your `UserMailer` class, and would send an email to the user with instructions on how to reset their password. This approach ensures that the temporary password is both secure and temporary, and that the user is notified of the password reset. It also provides a basis for implementing additional security measures, such as password encryption and expiration, multi-factor authentication, and activity logging.

References

  • 364 - Weak credential policy - Temporary passwords

    • Last updated

    2023/09/18