Weak Password Configuration

What does this mean ?

A weak password is one that is short, common, a system default, or anything that can be quickly guessed by performing a brute force assault on a subset of all possible passwords, such as dictionary terms, proper names, words based on the user name, or popular variants on these themes.

What can happen ?

Weak passwords are always a big factor in any breach. Weak passwords can be guessable, or an attacker can bruteforce them if the password length is very short. Weak passwords are readily broken because hackers may employ a dictionary attack, which just uploads your username and password with terms from the common dictionary.

Recommendation

There are two techniques to reduce the risk of readily learned passwords allowing unwanted access:

• Implement extra authentication measures (for example, two-factor authentication) or a strong password policy.
• The most basic and least expensive of these is the implementation of a strong password policy that assures password length, complexity, reuse, and aging; although, ideally, both should be done.

Sample Code

C#

Vulnerable :

string username = "admin";
string password = "Admin123"; // Sensitive
string usernamePassword  = "user=admin&password=Admin123"; // Sensitive
string url = "scheme://user:Admin123@domain.com"; // Sensitive

Non Vulnerable :

string username = "admin";
string password = GetEncryptedPassword();
string usernamePassword = string.Format("user={0}&password={1}", GetEncryptedUsername(), GetEncryptedPassword());
string url = $"scheme://{username}:{password}@domain.com";

string url2 = "http://guest:guest@domain.com"; // Compliant
const string Password_Property = "custom.password"; // Compliant

Java

Vulnerable :

Connection conn = null;
try {
  conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
        "user=steve&password=blue"); // Sensitive
  String uname = "steve";
  String password = "blue";
  conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
        "user=" + uname + "&password=" + password); // Sensitive

  java.net.PasswordAuthentication pa = new java.net.PasswordAuthentication("userName", "1234".toCharArray());  // Sensitive

Non Vulnerable :

Connection conn = null;
try {
  String uname = getEncryptedUser();
  String password = getEncryptedPass();
  conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
        "user=" + uname + "&password=" + password);

PHP

Vulnerable :

$password = "65DBGgwe4uazdWQA"; // Sensitive

$httpUrl = "https://example.domain?user=user&password=65DBGgwe4uazdWQA" // Sensitive
$sshUrl = "ssh://user:65DBGgwe4uazdWQA@example.domain" // Sensitive

Non Vulnerable :

$user = getUser();
$password = getPassword(); // Compliant

$httpUrl = "https://example.domain?user=$user&password=$password" // Compliant
$sshUrl = "ssh://$user:$password@example.domain" // Compliant

Node

Vulnerable :

const password = "65DBGgwe4uazdWQA"; // Sensitive

const httpUrl = "https://example.domain?user=user&password=65DBGgwe4uazdWQA" // Sensitive
const sshUrl = "ssh://user:65DBGgwe4uazdWQA@example.domain" // Sensitive

Non Vulnerable :

const user = getUser();
const password = getPassword(); // Compliant

const httpUrl = `https://example.domain?user=${user}&password=${password}` // Compliant
const sshUrl = `ssh://${user}:${password}@example.domain` // Compliant

References

• https://www.sciencedirect.com/topics/computer-science/weak-password
• https://cwe.mitre.org/data/definitions/521.html
• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy