# Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

- Prevalence: उच्च बार-बार शोषित
- Impact: उच्च 3 उच्च गंभीरता वाले नियम
- Prevention: प्रलेखित 3 फिक्स उदाहरण

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

Weak password recovery mechanisms can be exploited to take over user accounts. Common issues include predictable reset tokens, security questions with easily guessable answers, or lack of verification.

## Prevention

3 Shoulder डिटेक्शन नियमों पर आधारित Weak Password Recovery के लिए रोकथाम रणनीतियाँ।

### Go

Use crypto/rand with 32+ bytes of entropy for password reset tokens

### JavaScript

Use crypto.randomBytes() instead of Math.random() for security tokens

### Python

Use the secrets module for cryptographically secure token generation

## Warning Signs

- [HIGH] predictable random number generation (Math
- [HIGH] password reset tokens generated using weak or predictable methods like timestamps or non-cryptograph

## Consequences

- विशेषाधिकार प्राप्त करना
- सुरक्षा तंत्र को बायपास करना

## Mitigations

- पासवर्ड रीसेट लिंक के लिए मज़बूत, यादृच्छिक टोकनों का उपयोग करें
- टोकन समाप्ति लागू करें (जैसे 1 घंटा)
- ईमेल या SMS जैसे अतिरिक्त सत्यापन की आवश्यकता रखें
- रीसेट टोकन कभी ऐसे URL में न दिखाएँ जो लॉग किए जा सकते हों

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Weak Password Reset Token** [HIGH]: Password reset token uses predictable values like timestamps or math/rand.
  - Remediation: Generate reset tokens using crypto/rand with at least 32 bytes of entropy.

```go
import "crypto/rand"

func generateResetToken() (string, error) {
    b := make([]byte, 32)
    if _, err := rand.Read(b); err != nil {
        return "", err
    }
    return hex.EncodeToString(b), nil
}
```

Learn more: https://shoulder.dev/learn/go/cwe-640/weak-password-reset-token

### Javascript (1 rules)

- **Weak Password Reset Token** [HIGH]: Detects predictable random number generation (Math.random) used for password reset tokens.
  - Remediation: Use cryptographically secure random:

```javascript
const crypto = require('crypto');
const resetToken = crypto.randomBytes(32).toString('hex');
```

Learn more: https://shoulder.dev/learn/javascript/cwe-640/weak-password-reset-token

### Typescript (1 rules)

- **Weak Password Reset Token** [HIGH]: Detects predictable random number generation (Math.random) used for password reset tokens.
  - Remediation: Use cryptographically secure random:

```javascript
const crypto = require('crypto');
const resetToken = crypto.randomBytes(32).toString('hex');
```

Learn more: https://shoulder.dev/learn/javascript/cwe-640/weak-password-reset-token

### Python (1 rules)

- **Weak Password Reset Token** [HIGH]: Detects password reset tokens generated using weak or predictable methods like timestamps or non-cryptographic random.
  - Remediation: Use the secrets module for cryptographically secure token generation.

```python
import secrets
token = secrets.token_urlsafe(32)
```

Learn more: https://shoulder.dev/learn/python/cwe-640/weak-password-reset-token