Weak Password Policy

Description

A Weak Password Policy occurs when an application allows users or system administrators to create passwords that are easy to guess, short, or lack complexity, increasing the risk of brute-force attacks, credential stuffing, and unauthorized access. Weak password policies often result in users choosing predictable passwords (e.g., "123456", "password", or "qwerty"), which attackers can crack in seconds using automated tools.

A weak password policy also includes practices such as allowing password reuse, not enforcing expiration policies, and failing to implement multi-factor authentication (MFA). Without proper controls, an attacker who obtains or guesses a single credential can compromise multiple user accounts and sensitive systems.

Examples

Allowing Simple or Common Passwords

An application that does not enforce password complexity may allow users to set weak passwords such as:

  • password
  • 12345678
  • qwerty123
  • admin

Attackers can easily guess or brute-force these passwords using automated tools like Hydra, John the Ripper, or hashcat.

No Multi-Factor Authentication (MFA)

If an application relies solely on password-based authentication without requiring an additional factor (e.g., OTP, biometric, or hardware key), an attacker who steals or cracks a password can fully take over an account.

Lack of Account Lockout or Rate Limiting

A system that does not limit login attempts allows attackers to brute-force a password indefinitely. For example:

POST /login
username=admin&password=admin123

Without a rate-limiting mechanism, an attacker can script thousands of attempts per second until they find a correct combination.

Allowing Password Reuse or No Expiration

If users can reuse old passwords, attackers can use previously leaked credentials in credential stuffing attacks. Without expiration policies, a password might remain unchanged for years, giving attackers more time to compromise accounts.

Remediation

  1. Enforce Strong Password Requirements

    • Require passwords to be at least 10-16 characters long.
    • Mandate a mix of uppercase, lowercase, numbers, and special characters.
    • Prevent the use of common passwords by checking against leaked password databases (e.g., Have I Been Pwned API).

  2. Implement Multi-Factor Authentication (MFA)

    • Enforce MFA for high-privilege accounts and sensitive actions.
    • Support TOTP (Time-Based One-Time Passwords), biometric authentication, or hardware security keys.

  3. Apply Rate Limiting and Account Lockouts

    • Lock accounts temporarily after 5-10 failed login attempts.
    • Implement progressive delays (e.g., increasing wait time after each failed attempt).
    • Use CAPTCHAs for login forms to block automated brute-force attempts.

  4. Enforce Password Expiration and Rotation

    • Require users to change passwords periodically (e.g., every 90 days for critical accounts).
    • Prevent the reuse of previous 5-10 passwords to stop credential cycling.

  5. Use Secure Password Hashing Algorithms

    • Store passwords securely using bcrypt, Argon2, or PBKDF2 with strong salting.
    • Avoid outdated or insecure hashing methods like MD5 or SHA-1.