Weak credential policy - Temporary passwords
Need
Strengthening temporary password security policies
Context
• Usage of TypeScript for type-checking and enhanced JavaScript development
• Usage of Express for building web applications and APIs
Description
1. Non compliant code
import express from 'express';
const app = express();
app.post('/login', (req, res) => {
const { username, password } = req.body;
const temporaryPassword = generateTemporaryPassword();...The vulnerability in this code is related to weak credential policy for temporary passwords. The code generates a temporary password using the `generateTemporaryPassword` function, which currently returns a weak password "weak123". This weak password does not meet the recommended best practices for strong passwords, such as having a combination of uppercase and lowercase letters, numbers, and special characters. Furthermore, the code does not implement any security measures for storing the temporary password in the database. The `saveTemporaryPassword` function does not hash or encrypt the password before saving it, leaving it vulnerable to unauthorized access if the database is compromised. Additionally, the code does not implement any secure email sending mechanism in the `sendTemporaryPassword` function. This means that the temporary password could be intercepted or accessed by unauthorized individuals during the email transmission process. These vulnerabilities can allow an attacker to compromise the temporary passwords and gain unauthorized access to the application, potentially leading to unauthorized actions or data breaches.
2. Steps
• Implement a strong password generation function for generating temporary passwords.
• Implement secure password storage mechanism to store temporary passwords in the database.
• Implement a secure email sending mechanism to send temporary passwords to users.
3. Secure code example
import express from 'express';
import bcrypt from 'bcrypt';
import nodemailer from 'nodemailer';
const app = express();
app.use(express.json());
app.post('/login', async (req, res) => {...The fixed code addresses the vulnerability by implementing secure temporary passwords using recommended best practices. Here's an explanation of the changes made: 1. The code imports the necessary modules: `express` for creating the server, `bcrypt` for hashing passwords securely, and `nodemailer` for sending emails. 2. The `/login` route is defined as a POST request handler. It expects the `username` and `password` to be provided in the request body. 3. The `generateTemporaryPassword` function generates a temporary password of length 10 using a random alphanumeric string. 4. The `saveTemporaryPassword` function takes the `username` and `temporaryPassword` as parameters. It uses the `bcrypt` library to hash the temporary password with a salt of 10 rounds before storing it in the database. The use of bcrypt ensures that the password is securely hashed and not easily reversible. 5. The `sendTemporaryPassword` function takes the `username` and `temporaryPassword` as parameters. It uses the `nodemailer` library to create a transporter object with the email service credentials. It then defines the email options, including the sender, recipient, subject, and body of the email. The temporary password is included in the email body. 6. The `/login` route handler calls the `generateTemporaryPassword` function to generate a temporary password. It then calls the `saveTemporaryPassword` function to securely hash and store the temporary password in the database. Finally, it calls the `sendTemporaryPassword` function to send the temporary password to the user's email. 7. The server listens on port 3000 and logs a message when it starts running. By implementing these changes, the code ensures that temporary passwords are securely generated, hashed, and stored in the database. Additionally, the temporary password is sent to the user's email using a secure email service.