保護DataHogo
Security Encyclopedia/Auth Best Practices
mediumCWE-521A07:2021

No Password Policy

Accepting any password — including '123' or 'a' — makes your user accounts trivially vulnerable to credential stuffing and brute force attacks.

How It Works

Without a minimum length and complexity requirement, users pick weak passwords and attackers can brute-force them with small wordlists. NIST guidelines (SP 800-63B) recommend minimum 8 characters and checking against known breached password lists.

Vulnerable Code
// BAD: no password validation — accepts '1' as a valid password
async function register(email: string, password: string) {
  const hash = await bcrypt.hash(password, 10);
  await db.users.create({ email, password: hash });
}
Secure Code
// GOOD: enforce minimum password requirements
async function register(email: string, password: string) {
  if (password.length < 8) throw new Error('Password must be at least 8 characters');
  if (await isBreachedPassword(password)) throw new Error('Password found in breach database');
  const hash = await bcrypt.hash(password, 10);
  await db.users.create({ email, password: hash });
}

Real-World Example

The 2012 LinkedIn breach exposed 117 million password hashes. Analysis showed 'linkedin' was the most common password, and over 1 million accounts used '123456'. A basic length policy would have forced most of these into stronger passwords.

How to Prevent It

  • Enforce a minimum password length of 8 characters (12+ recommended)
  • Check passwords against the HaveIBeenPwned API or the haveibeenpwned npm package
  • Allow long passphrases — don't set a maximum length below 64 characters
  • Don't require special characters — they don't improve security much and hurt usability

Affected Technologies

Node.jsjavascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Rate Limit on Login

medium

A login endpoint without rate limiting can be brute-forced thousands of times per second until a valid password is found.

CWE-307A07:2021

No MFA/2FA

low

Without multi-factor authentication, a stolen or guessed password is all it takes to fully compromise an account.

CWE-308A07:2021

No Email Verification

medium

Allowing unverified email accounts lets attackers register with someone else's email address, potentially locking them out or impersonating them.

CWE-358A07:2021

Password Reset Token Without Expiry

medium

Password reset links that never expire stay valid indefinitely — an old email in a breach gives attackers a permanent account takeover path.

CWE-640A07:2021