Weak password requirements
Description
The application's password validator allows weak passwords. Consider requiring a length of at least 8 or more characters, and enabling requirements for digits, lowercase letters, uppercase letters, and non-alphanumeric characters to reduce the chance of passwords being brute forced.
Examples
Insecure Code
c#
options.Password.RequiredLength = 6;Secure Code
c#
options.Password.RequiredLength = 8;Remediation
Update the password validator to require a length of at least 8 characters and enable requirements for digits, lowercase letters, uppercase letters, and non-alphanumeric characters.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0456 |
| Category | Auth |
| Severity | MEDIUM |
| CWE | CWE-521 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | password validation, authentication |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |