Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32529

#PT12068_7 - Lack of Passwords Verification Against a Set of Breached Passwords

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security, Security / Rights

      Description

      Server Security Misconfiguration > Lack of Password Confirmation

      Proof of Concept

      1. Login to application with a privileged user account.
      1. Navigate to "User Settings" -> "Profile"
      1. Try to change user's password
      1. While setting password process give leaked password
      1. See application will be accepting the given password.

      Suggested Fix

      1. Allow all characters to be used for passwords to avoid shortening the key space for brute-force guessing.
      1. Do not impose character restrictions such as "must have at least X number of specific character type" in the password. This will shorten the key space for brute-force guessing.
      1. Disallow short password lengths. 12 characters is generally considered a good minimum password length.
      1. Allow for a large maximum password length.
      1. Do not advertise the maximum password length as this will shorten the key space for brute-force guessing.
      1. Disallow previous passwords from being used.
      1. Disallow the password being the same as the email or username.
      1. Check given password for leaked password lists for at least top1000.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              santony Sooraj Antony
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: