Weak credential policy - Password Change Limit | Fluid Attacks Database

Database

Description

The application does not limit the number of password change requests that can be made in a day.

Impact

Change the password multiple times in a short period of time, denying access to the original user.

Recommendation

Implement a mechanism that rejects multiple password change requests on the same day.

Threat

Internet user with access to the session.

Expected Remediation Time

⏱️ 45 minutes.

Requirements

129 - Validate previous passwords 130 - Limit password lifespan 131 - Deny multiple password changing attempts 132 - Passphrases with at least 4 words 133 - Passwords with at least 20 characters 139 - Set minimum OTP length 332 - Prevent the use of breached passwords

Fixes

Csharp Go Java Python Ruby Typescript