Weak Password Policy
Web applications usually have an authentication mechanism. It is vital to verify users’ identity, for applications may contain confidential information. The most common way to ensure users’ legitimacy is to ask for a combination of username and passphrase. Users have to enter both the values correctly to get access to their account and their functionality. It is necessary to ensure that users do not enter a weak password, which is easy to guess. A person with malicious intent may guess the password and gain access without much of an effort. Let us have an example to see how an attacker may exploit that loophole and cause damage.
A web application does not impose any restrictions on passwords. Users can set whatever the password they want. A user keeps his username and password the same. An attacker wants to gain access to the user’s account. He enters username as the password in one of his early attempts, which succeeds. He gains access to the user’s account and obtains confidential information.
The solution is to enforce a strong password policy, ensuing the passwords are hard to guess. The website can provide an indicator to users about password strength. Depending on the level of security required, the following conditions could be enforced:
Passwords must have a minimum of 8 characters.
Passwords must include at least three of the four following types of characters:
English uppercase letters (A to Z).
English lowercase letters (a to z).
Numbers (0 to 9). Special characters and punctuation symbols (Example: _, -. +, =,!, @, %, *, &, ”, :, ., or /).