296 – Weak credential policy - Password Change Limit

Description

The application does not limit the number of password change requests that can be made in a day.

Impact

Change the password multiple times in a short period of time, denying access to the original user.

Recommendation

Implement a mechanism that rejects multiple password change requests on the same day.

Threat

Internet user with access to the session.

Expected Remediation Time

45 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 130 - Limit password lifespan
• 132 - Passphrases with at least 4 words
• 133 - Passwords with at least 20 characters
• 139 - Set minimum OTP length
• 332 - Prevent the use of breached passwords

Fixes

• Csharp
• Elixir
• Go
• Java
• Python
• Ruby
• Typescript

Last updated

2024/02/19