363 – Weak credential policy - Password strength

Description

The credential policy present in the system does not have the recommended parameters.

Impact

Allow users to assign weak passwords to their accounts, which can later be easily found by an attacker through brute force or dictionary attacks.

Recommendation

Establish a policy for credential creation that involves phrases and not word-based passwords.

Threat

Attacker with an account creation invitation from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 130 - Limit password lifespan
• 132 - Passphrases with at least 4 words
• 133 - Passwords with at least 20 characters
• 139 - Set minimum OTP length
• 332 - Prevent the use of breached passwords

Fixes

• Aws
• Cloudformation
• Csharp
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/20