C Sharp Weak Credential Policy
Description
Detects weak password policy configurations in C# applications that could make systems vulnerable to brute force attacks. The detector identifies when password complexity requirements are disabled or set too low, such as short password lengths or minimal character variation requirements.
Detection Strategy
• Identifies assignments of insecure values to password policy configuration properties including RequireDigit, RequireNonAlphanumeric, RequireUppercase, and RequireLowercase being set to 'false'
• Reports when RequiredLength is set to values less than 8 characters
• Flags when RequiredUniqueChars is configured to require 5 or fewer unique characters
• Examines the actual values assigned to these properties by tracing data flow to ensure the weak settings are actually applied
Vulnerable code example
using System;
public class Startup {
public void Configure(IServiceCollection services) {
services.Configure<IdentityOptions>(options => {
// Vulnerable: Disabling password complexity requirements reduces security
options.Password.RequireDigit = false;
options.Password.RequireLowercase = false; ...✅ Secure code example
using System;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.DependencyInjection;
public class Startup {
public void Configure(IServiceCollection services) {
services.Configure<IdentityOptions>(options => {
// Secure: Enable comprehensive password complexity requirements...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.