Add flaw 4: weak passwords allowed

2024-11-25 17:16:29 +02:00 · 2024-11-25 17:16:29 +02:00 · e8f671d66e
commit e8f671d66e
parent 05fec8a837
3 changed files with 16 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -40,7 +40,12 @@ SQL Injection (Unsanitized SQL query for search)
 FLAW 4:
 > ADD EXACT SOURCE LINK

-Identification and Authentication Failure (No password strength checks)
+(Identification and Authentication Failures) As is, the application performs no checks for weak passwords.
+This makes users more vulnerable to attacks based on trying common and weak passwords, escpecially if the password database gets leaked (See also flaws 2 and 3).
+
+The fix for this issue is to perform server-side validation on new passwords, and checking that they are reasonable.
+Django includes a simple built-in validator which checks that the password has a minimum length (default 8, in this app 10), is not too similar to the username, is not a common password (20000 password list) and is not purely numeric.
+These checks are implemented in the commented out code, and would significantly improve the situation.

 FLAW 5:
 > ADD EXACT SOURCE LINK
--- a/notes/views.py
+++ b/notes/views.py
@ -99,11 +99,13 @@ def register_view(request):
        # Password validation
        if password1 != password2:
            errors.append("Passwords don't match.")
-        try:
-            validate_password(password1)
-        except ValidationError as error:
-            for message in error.messages:
-                errors.append(message)
+# FLAW 4:
+# Adding some sensible password validation would fix the problem
+#        try:
+#            validate_password(password1)
+#        except ValidationError as error:
+#            for message in error.messages:
+#                errors.append(message)

        if not errors:
            user = User.objects.create_user(username=username, password=password1)
--- a/project/settings.py
+++ b/project/settings.py
@ -91,6 +91,9 @@ AUTH_PASSWORD_VALIDATORS = [
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+        'OPTIONS': {
+            'min_length': 10,
+        }
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',