保護DataHogo
Security Encyclopedia/Auth & Sessions (Advanced)
mediumCWE-521A07:2021

Weak Password Policy

No minimum length, complexity, or common-password requirements on registration or password change, making user accounts easily brute-forced or guessed.

How It Works

If you accept passwords like '123456' or 'password', your users will use them. Short, common passwords fall to dictionary attacks in seconds. NIST SP 800-63B recommends a minimum of 8 characters (with 15 preferred) and checking against known breached password lists rather than requiring complexity rules that users just game with 'Password1!'.

Vulnerable Code
// BAD: no password validation
const schema = z.object({
  email: z.string().email(),
  password: z.string(), // any string accepted
});
Secure Code
// GOOD: enforce minimum length and check against breach list
const schema = z.object({
  email: z.string().email(),
  password: z.string()
    .min(8, 'Password must be at least 8 characters')
    .max(128)
    .refine(async (pw) => !(await isPwnedPassword(pw)), 'This password has appeared in a data breach'),
});

Real-World Example

The 2019 Disney+ launch saw thousands of accounts compromised within hours. Most weren't hacked — users had reused weak passwords from previous breaches. A minimum-length policy and breached-password check would have blocked most of these accounts from being takeable.

How to Prevent It

  • Require a minimum of 8 characters (15+ recommended by NIST)
  • Check passwords against the HaveIBeenPwned API (pwned-passwords) to block known breached passwords
  • Allow long passwords (up to 128+ characters) to encourage passphrases
  • Don't enforce complexity rules (uppercase + number + symbol) — they produce predictable patterns
  • Show a password strength meter to guide users toward better choices

Affected Technologies

nodejsNext.jsPythonPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Session Fixation

high

The server reuses the same session ID before and after login, allowing an attacker who planted a known session ID to hijack the authenticated session.

CWE-384A07:2021

No Account Lockout / Brute Force Protection

medium

Login endpoints with no rate limiting or lockout mechanism, allowing attackers to try unlimited username and password combinations until they find valid credentials.

CWE-307A07:2021

OAuth State Parameter Missing

high

OAuth authorization flow implemented without a random `state` parameter, allowing CSRF attacks that link a victim's account to the attacker's OAuth identity.

CWE-352A07:2021

Token Not Invalidated on Logout

medium

JWT or session tokens remain valid after a user logs out because there is no server-side revocation mechanism, allowing stolen tokens to be used indefinitely.

CWE-613A07:2021