Weak password
Description
The application accepts weak or easily guessable passwords for user authentication. Weak passwords include common dictionary words, default credentials, short character sequences, or passwords derived from usernames. An automated scanner successfully authenticated to a protected resource by testing a limited set of commonly used credentials, indicating insufficient password complexity requirements are enforced.
Remediation
Implement and enforce a comprehensive password policy that includes the following requirements:
1. Minimum complexity standards: Require passwords to be at least 12 characters long and contain a mix of uppercase letters, lowercase letters, numbers, and special characters.
2. Password validation: Reject passwords that match common dictionary words, previously breached password lists (such as Have I Been Pwned), or contain sequential characters. Implement server-side validation to prevent weak passwords during account creation and password changes.
3. Remove default credentials: Ensure all default or system-generated passwords are changed during initial setup and cannot be reused.
4. Additional security controls: Implement multi-factor authentication (MFA) for all user accounts, especially those with elevated privileges. Apply rate limiting and account lockout mechanisms to prevent automated brute force attacks.
5. User education: Encourage users to adopt password managers and unique passwords for each account to prevent credential reuse across services.