保護DataHogo
Security Encyclopedia/Auth Best Practices
infoCWE-521A07:2021

No Password Strength Indicator

Without real-time feedback on password strength, users default to weak passwords they already know — even when you require complexity.

How It Works

Password requirements (must have uppercase, number, symbol) are well-intentioned but produce predictable patterns like 'Password1!'. A real-time strength meter that evaluates actual entropy and warns about common patterns guides users toward genuinely strong passwords without being prescriptive.

Vulnerable Code
// BAD: static complexity rules produce predictable passwords
<input
  type="password"
  placeholder="Min 8 chars, 1 uppercase, 1 number"
  // no feedback — users type Password1! and move on
/>
Secure Code
// GOOD: real-time strength feedback using zxcvbn
import zxcvbn from 'zxcvbn';

const { score, feedback } = zxcvbn(passwordValue);
// score 0-4: 0=very weak, 4=very strong
// feedback.suggestions: ['Add another word or two', 'Avoid sequences']
<PasswordStrengthBar score={score} suggestions={feedback.suggestions} />

Real-World Example

Dropbox adopted zxcvbn and reported that it significantly improved the distribution of password strength among new users. Studies show strength meters increase average password entropy by 1-2 bits per character — meaningful at scale.

How to Prevent It

  • Add a real-time password strength meter using zxcvbn or similar entropy-based library
  • Show actionable feedback (not just red/green) — tell users why the password is weak
  • Require at least a score of 2-3 (out of 4) on zxcvbn before allowing account creation
  • Don't block users from choosing a long passphrase that scores 'weak' on character composition

Affected Technologies

javascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Password Policy

medium

Accepting any password — including '123' or 'a' — makes your user accounts trivially vulnerable to credential stuffing and brute force attacks.

CWE-521A07:2021

No Rate Limit on Login

medium

A login endpoint without rate limiting can be brute-forced thousands of times per second until a valid password is found.

CWE-307A07:2021

No MFA/2FA

low

Without multi-factor authentication, a stolen or guessed password is all it takes to fully compromise an account.

CWE-308A07:2021

No Email Verification

medium

Allowing unverified email accounts lets attackers register with someone else's email address, potentially locking them out or impersonating them.

CWE-358A07:2021