08 Mar, 2023

Insufficient password complexity requirements

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Insufficient password complexity requirements refer to a situation where a system, website, or application does not enforce strong password policies for its users. This means that users are allowed to choose weak passwords that are easily guessable or vulnerable to brute-force attacks. Weak passwords make it easier for attackers to gain unauthorized access to user accounts, compromising sensitive data and putting the entire system or organization at risk.

Password complexity requirements typically involve a combination of factors, such as minimum length, the use of upper and lower case letters, numbers, and special characters. The more complex the password, the more difficult it is for attackers to crack it.

Example of vulnerable code on different programming languages:


in Python:

				
					import hashlib

def login(username, password):
    hashed_password = hashlib.sha256(password.encode()).hexdigest()
    # Check if the hashed password matches the user's stored password
    if hashed_password == get_user_password(username):
        print("Login successful")
    else:
        print("Invalid username or password")


				
			


In this example, the login function hashes the user’s password using the SHA-256 algorithm before comparing it to the stored password in the database. However, there are no password complexity requirements, so users can choose weak passwords that are easily guessed or cracked using brute-force attacks.

• in Java:

				
					public boolean validatePassword(String password) {
    if (password.length() < 8) {
        return false;
    }
    return true;
}

				
			


In this Java example, the password validation function only checks if the password length is at least 8 characters. While this is a good start, it is not sufficient to ensure strong password complexity requirements.

• in PHP:

				
					function check_password($password) {
    $uppercase = preg_match('@[A-Z]@', $password);
    $lowercase = preg_match('@[a-z]@', $password);
    $number    = preg_match('@[0-9]@', $password);

    if(!$uppercase || !$lowercase || !$number || strlen($password) < 8) {
        return false;
    } else {
        return true;
    }
}

				
			


This PHP function checks if a password contains at least one uppercase letter, one lowercase letter, and one number, and is at least 8 characters long. While this is a better approach than the previous examples, it still does not enforce the use of special characters, making the password vulnerable to certain types of attacks.

Examples of exploitation Insufficient password complexity requirements

Brute-force attacks:

Attackers can use software programs to try different combinations of passwords until they find the correct one. Weak passwords can be easily guessed, and this type of attack can be successful if the password complexity requirements are not enforced.

Dictionary attacks:

In this type of attack, attackers use a pre-defined list of commonly used passwords to try to gain access to a system. Since weak passwords often include common words or phrases, dictionary attacks can be successful if the password complexity requirements are not enforced.

Social engineering:

Attackers can trick users into revealing their passwords by posing as a legitimate source, such as an IT support technician. If users have weak passwords, they may be more susceptible to social engineering attacks.

Credential stuffing:

Attackers can use credentials stolen from other websites or databases to try to gain access to other systems. If users reuse the same weak password across multiple accounts, attackers can easily gain access to those accounts.

Privilege escalation techniques for Insufficient password complexity requirements

Password guessing:

Attackers can use password guessing techniques to gain access to user accounts with weak passwords. They can either guess the password directly or use a dictionary attack to try common passwords.

Password reuse:

If users reuse passwords across multiple accounts, an attacker can gain access to additional accounts by using the password obtained from the initial compromise.

Password cracking:

Attackers can use password cracking tools to obtain passwords from hashes or other encrypted formats. If the password complexity requirements are not enforced, attackers can crack passwords more easily.

Password interception:

Attackers can intercept passwords in transit, for example, by using a man-in-the-middle attack. This technique can be used to capture passwords used for authentication and gain access to user accounts.

General methodology and checklist for Insufficient password complexity requirements

Methodology:

  1. Understand the application or system: First, it is important to understand the application or system being tested, including its purpose, the users who access it, and the types of data it stores.

  2. Identify the password requirements: Review the password requirements for the application or system. This includes the minimum password length, whether special characters are required, and whether password complexity requirements are enforced.

  3. Generate a list of test cases: Based on the password requirements, generate a list of test cases that includes passwords that meet the requirements, passwords that do not meet the requirements, and passwords that are on a list of commonly used passwords.

  4. Test password input: Test the application or system by entering the passwords from the test cases into the password input field. Verify that the system enforces the password requirements and provides appropriate error messages if the password is not strong enough.

  5. Test password storage: Test the password storage mechanism to ensure that passwords are properly encrypted or hashed and that there are no vulnerabilities that would allow attackers to access the passwords.

  6. Test password reset functionality: Test the password reset functionality to ensure that it enforces the same password complexity requirements as the password creation process.

  7. Test password reuse: Test the application or system to ensure that users cannot reuse passwords across multiple accounts.

  8. Document and report findings: Document the test results, including any vulnerabilities or weaknesses in the password complexity requirements. Report the findings to the appropriate parties, such as the application or system owner, so that they can take appropriate actions to address the vulnerabilities.

Checklist:

  1. Check the minimum password length: Verify that the application or system enforces a minimum password length that is appropriate for the level of security needed.

  2. Check for required character types: Verify that the application or system requires users to include a mix of character types, such as uppercase letters, lowercase letters, numbers, and special characters.

  3. Check for password complexity requirements: Verify that the application or system enforces password complexity requirements, such as prohibiting commonly used passwords or dictionary words.

  4. Test password strength: Test the application or system by attempting to create passwords that meet and do not meet the password requirements. Verify that the application or system enforces the password requirements and provides appropriate error messages if the password is not strong enough.

  5. Test password storage: Test the password storage mechanism to ensure that passwords are properly encrypted or hashed and that there are no vulnerabilities that would allow attackers to access the passwords.

  6. Test password reset functionality: Test the password reset functionality to ensure that it enforces the same password complexity requirements as the password creation process.

  7. Test password reuse: Test the application or system to ensure that users cannot reuse passwords across multiple accounts.

  8. Test for brute-force attacks: Test the application or system to determine whether it is vulnerable to brute-force attacks. Try to guess a weak password using different software programs, and see whether the application or system locks the account after a certain number of failed attempts.

  9. Test for dictionary attacks: Test the application or system to determine whether it is vulnerable to dictionary attacks. Try to guess weak passwords based on a pre-defined list of commonly used passwords.

  10. Document and report findings: Document the test results, including any vulnerabilities or weaknesses in the password complexity requirements. Report the findings to the appropriate parties, such as the application or system owner, so that they can take appropriate actions to address the vulnerabilities.

Tools set for exploiting Insufficient password complexity requirements

Automated Tools:

  • John the Ripper: A popular password cracking tool that can detect weak passwords and generate dictionary-based attacks.

  • Hashcat: A password cracking tool that can crack various types of hashes including MD5, SHA1, SHA2, and others. It supports dictionary-based attacks, brute-force attacks, and hybrid attacks.

  • Medusa: A tool for brute-forcing passwords that supports various types of protocols such as SSH, FTP, Telnet, HTTP, and others.

  • Hydra: A popular brute-forcing tool that supports various protocols such as SSH, FTP, Telnet, HTTP, and others. It can perform dictionary-based attacks and brute-force attacks.

  • Ncrack: A tool for network authentication cracking that can perform dictionary-based attacks and brute-force attacks on various protocols such as SSH, RDP, FTP, and others.

  • Cain and Abel: A password cracking tool that can perform dictionary-based attacks and brute-force attacks. It can also intercept network traffic and perform man-in-the-middle attacks.

  • Aircrack-ng: A password cracking tool that can crack Wi-Fi passwords using dictionary-based attacks and brute-force attacks.

  • THC Hydra: A password cracking tool that can perform dictionary-based attacks and brute-force attacks. It supports various protocols such as SSH, FTP, Telnet, and others.

  • Ophcrack: A password cracking tool that can crack Windows passwords using rainbow tables.

  • L0phtCrack: A password cracking tool that can detect weak passwords and perform dictionary-based attacks and brute-force attacks. It can also audit password policies.

Manual Tools:

  • Social Engineering: A technique used to trick people into revealing their passwords. It can be done through phishing, pretexting, or other methods.

  • Shoulder Surfing: A technique used to observe people as they enter their passwords. It can be done in public places, at work, or even at home.

  • Password Guessing: A technique used to guess passwords based on common words, dates, or personal information about the user.

  • Rainbow Tables: A pre-computed table of possible password hashes that can be used to crack passwords quickly.

  • Word Lists: A list of common passwords or words that can be used to perform dictionary-based attacks.

  • Brute-Force Attacks: A technique used to guess passwords by trying every possible combination of characters until the correct password is found.

  • Password Spraying: A technique used to guess passwords by using a few commonly used passwords against many different user accounts.

Browser Plugins:

  • Password Checkup by Google: A browser extension that alerts users if their password has been compromised in a data breach.

  • LastPass: A password manager that securely stores passwords and generates strong passwords.

  • Dashlane: A password manager that securely stores passwords and generates strong passwords.

  • 1Password: A password manager that securely stores passwords and generates strong passwords.

  • KeePassXC: A free, open-source password manager that securely stores passwords and generates strong passwords.

Average CVSS score of stack Insufficient password complexity requirements

The average CVSS score of a stack with insufficient password complexity requirements would depend on the severity and impact of the vulnerability in the specific system or application.

However, in general, insufficient password complexity requirements are considered a medium-level vulnerability, with a CVSS score ranging from 4.0 to 6.9. This is because while it is a security weakness that can be exploited, it does not necessarily guarantee immediate unauthorized access or control over the system.

It’s important to note that the CVSS score can vary depending on factors such as the complexity of the password policy, the ease of exploitation, and the impact on the system or data. Therefore, it’s essential to perform a thorough vulnerability assessment to determine the actual CVSS score for the specific system or application.

The Common Weakness Enumeration (CWE)

• CWE-521: Weak Password Requirements: This CWE category covers issues where password policies are too weak or are not enforced, resulting in passwords that are easy to guess or crack.

• CWE-522: Insufficiently Protected Credentials: This CWE category covers issues where credentials are not sufficiently protected, allowing unauthorized access or disclosure.

• CWE-523: Unprotected Transport of Credentials: This CWE category covers issues where credentials are transmitted over an insecure channel, allowing them to be intercepted and potentially used by an attacker.

• CWE-524: Insecure Storage of Credentials: This CWE category covers issues where credentials are stored in an insecure manner, such as in plain text or with weak encryption, making them vulnerable to theft.

• CWE-308: Use of Single-factor Authentication: This CWE category covers issues where only one form of authentication is used, making it easier for attackers to bypass the authentication mechanism.

• CWE-326: Inadequate Encryption Strength: This CWE category covers issues where encryption algorithms or key lengths are too weak, making them vulnerable to attacks that can crack the encryption.

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm: This CWE category covers issues where cryptographic algorithms or implementations are known to be vulnerable or insecure.

• CWE-528: Verification of Data Authenticity and Integrity: This CWE category covers issues where data authenticity and integrity are not verified, allowing unauthorized or malicious modifications.

• CWE-521: Weak Password Requirements: This CWE category covers issues where password policies are too weak or are not enforced, resulting in passwords that are easy to guess or crack.

• CWE-534: Multiple Bindings for the Same Resource: This CWE category covers issues where the same resource (such as a password) is bound to multiple entities or applications, creating the potential for confusion and security vulnerabilities.

Top 10 CVES related to Insufficient password complexity requirements

• CVE-2022-35143 – Renato v0.17.0 employs weak password complexity requirements, allowing attackers to crack user passwords via brute-force attacks.

• CVE-2019-9096 – An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. Insufficient password requirements for the MGate web application may allow an attacker to gain access by brute-forcing account passwords.

• CVE-2017-9853 – ** DISPUTED ** An issue was discovered in SMA Solar Technology products. All inverters have a very weak password policy for the user and installer password. No complexity requirements or length requirements are set. Also, strong passwords are impossible due to a maximum of 12 characters and a limited set of characters. NOTE: the vendor reports that the 12-character limit provides “a very high security standard.” Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected.

• CVE-2016-5801 – An issue was discovered in OmniMetrix OmniView, Version 1.2. Insufficient password requirements for the OmniView web application may allow an attacker to gain access by brute forcing account passwords.

• CVE-2012-3287 – Poul-Henning Kamp md5crypt has insufficient algorithmic complexity and a consequently short runtime, which makes it easier for context-dependent attackers to discover cleartext passwords via a brute-force attack, as demonstrated by an attack using GPU hardware.

Insufficient password complexity requirements exploits

  • Brute-Force Attack: This type of attack involves trying every possible combination of characters until the correct password is found. A weak password policy can make brute-force attacks easier and faster to execute.

  • Dictionary Attack: In this type of attack, attackers use a pre-defined list of commonly used passwords or words to try and guess the correct password. Weak password policies that allow the use of common or easily guessable words make dictionary attacks more likely to succeed.

  • Password Guessing: Attackers can use personal information or publicly available data to make educated guesses about a user’s password. Weak password policies that allow the use of personal information or common patterns make password guessing attacks more successful.

  • Credential Stuffing: Attackers use stolen login credentials from one site to try and gain access to other sites where the same credentials are used. Weak password policies that allow the reuse of passwords across different accounts can make credential stuffing attacks more successful.

  • Rainbow Table Attack: This type of attack involves the use of precomputed tables of hashed passwords to quickly crack passwords. Weak password policies that use weak or easily guessable hashing algorithms can make rainbow table attacks easier to execute.

  • Pass-the-Hash Attack: Attackers use the hashed value of a user’s password to gain access to a system or application, bypassing the need for the actual password. Weak password policies that use weak hashing algorithms or do not properly protect hashed passwords can make pass-the-hash attacks more likely to succeed.

  • Man-in-the-Middle Attack: Attackers intercept and modify communication between a user and a system or application, allowing them to capture login credentials or modify authentication requests. Weak password policies that do not enforce secure communication protocols make man-in-the-middle attacks more likely to succeed.

Practicing in test for Insufficient password complexity requirements

Learn about common password policies and best practices: Familiarize yourself with common password policies, such as minimum password length, complexity requirements, and password expiration. Also, learn about best practices for creating strong and secure passwords.

Use vulnerable applications or tools: There are many vulnerable applications and tools available that you can use to practice testing for insufficient password complexity requirements. For example, you can use the OWASP Vulnerable Web Applications Directory to find vulnerable web applications to practice on.

Use password cracking tools: You can use password cracking tools, such as John the Ripper or Hashcat, to practice cracking passwords. These tools can help you understand how different password policies and encryption algorithms affect password cracking.

Use automated scanning tools: Automated scanning tools, such as Burp Suite or Nessus, can help you identify weak password policies and other security vulnerabilities in web applications and systems.

Join online communities or forums: Joining online communities or forums, such as OWASP or Reddit’s /r/netsec, can help you learn from other security professionals and get feedback on your testing techniques.

Take online courses or tutorials: There are many online courses and tutorials available that can help you learn about password security and testing techniques. For example, OWASP offers a variety of free online courses and tutorials on web application security.

For study Insufficient password complexity requirements

OWASP Password Policy Cheat Sheet: The OWASP Password Policy Cheat Sheet provides guidelines and best practices for creating strong and secure passwords. It also includes recommendations for password storage and management.

NIST Special Publication 800-63B: This publication from the National Institute of Standards and Technology provides guidelines for digital identity management and password security. It includes recommendations for password complexity, length, and expiration.

OWASP Testing Guide: The OWASP Testing Guide provides a comprehensive framework for testing web applications for security vulnerabilities, including insufficient password complexity requirements.

OWASP Top Ten Project: The OWASP Top Ten Project is a regularly updated list of the top ten most critical web application security risks. The list includes insufficient password complexity requirements as a common vulnerability.

Password Cracking Challenges: Password cracking challenges, such as those offered by Crack Me If You Can, can help you practice your password cracking skills and learn more about encryption and hashing algorithms.

Online Courses: There are many online courses available that cover password security and testing techniques. For example, Udemy offers a course on Ethical Hacking: Password Cracking, which covers password cracking tools and techniques.

Online Communities: Joining online communities, such as the OWASP community or Reddit’s /r/netsec, can help you connect with other security professionals and learn from their experiences and knowledge.

Books with review of Insufficient password complexity requirements

Web Application Security: A Beginner’s Guide by Bryan Sullivan and Vincent Liu – This book provides an introduction to web application security, including password security and authentication.

Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman – This book covers penetration testing techniques, including password cracking and brute force attacks.

The Basics of Hacking and Penetration Testing by Patrick Engebretson – This book provides an introduction to ethical hacking and penetration testing, including password cracking techniques.

Security Engineering: A Guide to Building Dependable Distributed Systems by Ross J. Anderson – This book covers a wide range of security engineering topics, including password security and authentication.

Hacking: The Art of Exploitation by Jon Erickson – This book covers a range of hacking techniques, including password cracking and brute force attacks.

Metasploit: The Penetration Tester’s Guide by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni – This book covers the Metasploit Framework, including techniques for exploiting weak passwords.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz – This book provides an introduction to Python programming for security professionals, including password cracking and brute force attacks.

The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin Mitnick – This book provides a collection of true stories about real-world hacking exploits, including password cracking and social engineering.

Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier – This book covers the theory and practice of cryptography, including password hashing and encryption algorithms.

Security Power Tools by Bryan Burns, Dave Killion, and Nicolas Beauchesne – This book provides an overview of security tools and techniques, including password cracking and vulnerability scanning.

List of payloads Insufficient password complexity requirements

  • Common passwords: This payload includes a list of commonly used passwords, such as “123456”, “password”, “qwerty”, etc. These passwords are easily guessable and can be cracked quickly.

  • Dictionary words: This payload includes a list of dictionary words, which can be used in a brute force attack. Passwords that are made up of dictionary words are often weak and easily guessable.

  • Character patterns: This payload includes passwords that follow a pattern, such as “aaaaaa”, “123123”, “qwertyui”, etc. These types of passwords are also easily guessable.

  • Keyboard patterns: This payload includes passwords that follow a pattern on the keyboard, such as “qazwsx”, “edcrfv”, etc. These types of passwords are also easily guessable.

  • Social engineering: This payload includes passwords that are based on personal information, such as birth dates, names of family members, pet names, etc. These types of passwords can be obtained through social engineering tactics.

  • Custom wordlists: can be created using various tools, such as Crunch or CeWL, to generate passwords based on specific criteria, such as length, complexity, etc.

  • Brute force attacks: attacks can be used to test for weak passwords by systematically trying every possible combination of characters until the correct password is found.

How to be protected from Insufficient password complexity requirements

Use strong passwords: Use complex passwords that include a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using easy-to-guess passwords, such as “password” or “123456”.

Use a password manager: Consider using a password manager to generate and store strong, unique passwords for each of your accounts. This reduces the risk of using the same password across multiple accounts.

Enable multi-factor authentication: Use multi-factor authentication (MFA) whenever possible, which adds an extra layer of security to your accounts. This can include a password plus a code sent to your phone or email, or biometric verification.

Regularly change passwords: Regularly change your passwords, particularly for accounts that contain sensitive information or are high-risk. Set a reminder to update your passwords at least every six months.

Be aware of phishing attacks: Be cautious of phishing attacks that attempt to steal your login credentials by tricking you into clicking on a malicious link or downloading malware. Always verify the sender and be wary of unsolicited emails or messages.

Keep your software up-to-date: Keep your operating system, web browser, and other software up-to-date to ensure that security vulnerabilities are patched.

Use a reputable antivirus software: Use a reputable antivirus software to protect your computer from malware and viruses that could steal your login credentials.

Mitigations for Insufficient password complexity requirements

  1. Enforce password complexity requirements: Ensure that users are required to create strong passwords that include a combination of uppercase and lowercase letters, numbers, and special characters.

  2. Implement multi-factor authentication: Use multi-factor authentication (MFA) to add an extra layer of security to accounts. This can include a password plus a code sent to your phone or email, or biometric verification.

  3. Implement a password expiration policy: Set a policy to require users to change their passwords at regular intervals. This ensures that old passwords are no longer in use and reduces the risk of them being compromised.

  4. Educate users: Educate users on the importance of strong passwords and provide guidance on how to create them. Encourage users to avoid using common passwords or personal information in their passwords.

  5. Use password managers: Encourage users to use password managers to generate and store strong, unique passwords for each of their accounts.

  6. Implement a lockout policy: Set a policy that locks out users after a certain number of failed login attempts. This helps to prevent brute force attacks.

  7. Implement rate-limiting: Implement rate-limiting to limit the number of login attempts that can be made within a certain time period. This helps to prevent brute force attacks.

Conclusion

Insufficient password complexity requirements pose a serious security risk as weak passwords can be easily guessed or brute-forced, allowing attackers to gain unauthorized access to sensitive information and systems. To mitigate this risk, it is important to enforce password complexity requirements, use multi-factor authentication, regularly change passwords, educate users on the importance of strong passwords, use password managers, implement lockout and rate-limiting policies, and keep software up-to-date. By implementing these measures, individuals and organizations can significantly reduce the risk of falling victim to Insufficient password complexity requirements and better protect their information and systems from unauthorized access.

Other Services

Ready to secure?

Let's get in touch