# Weak Password Requirements (CWE-521)

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

- Prevalence: 高 頻繁に悪用される
- Impact: ハイ 1 件の重大度ハイのルール
- Prevention: 文書化済み 2 件の修正例

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

Without strong password requirements, users often choose weak, easily guessable passwords. This makes brute-force and dictionary attacks more likely to succeed.

## Prevention

2 件の Shoulder 検出ルールに基づく Weak Password Requirements の予防策。

### Go

Enforce minimum 12-character passwords with complexity requirements

### JavaScript

Require minimum 12 characters with complexity checks or use a password strength library

## Warning Signs

- [HIGH] Password validation at ... lacks proper complexity requirements
- [HIGH] password validation that lacks proper complexity requirements, making accounts vulnerable to brute f

## Consequences

- 権限の取得
- 保護メカニズムの回避

## Mitigations

- パスワードの最小長を強制する (12 文字以上を推奨)
- パスワードを既知の漏洩データベースと照合する
- 多要素認証 (MFA) を実装する

## Detection

- Total rules: 2
- Languages: go, javascript, typescript

## Rules by Language

### Go (1 rules)

- **Weak Password Policy** [MEDIUM]: Password validation requires fewer than 8 characters.
  - Remediation: Enforce minimum password length of 12+ characters with complexity requirements.

```go
func validatePassword(password string) error {
    if len(password) < 12 {
        return errors.New("password must be at least 12 characters")
    }
    // Add complexity checks: uppercase, lowercase, digit, special char
    return nil
}
```

Learn more: https://shoulder.dev/learn/go/cwe-521/weak-password-policy

### Javascript (1 rules)

- **Weak Password Policy** [HIGH]: Detects password validation that lacks proper complexity requirements, making accounts vulnerable to brute force attacks.
  - Remediation: Implement strong password requirements:

```javascript
// ✅ SAFE - Strong password policy
function validatePassword(password) {
  if (password.length < 12) {
    throw new Error('Password must be at least 12 characters');
  }

  const hasUppercase = /[A-Z]/.test(password);
  const hasLowercase = /[a-z]/.test(password);
  const hasDigit = /\d/.test(password);
  const hasSpecial = /[!@#$%^&*(),.?":{}|<>]/.test(password);

  if (!hasUppercase || !hasLowercase || !hasDigit || !hasSpecial) {
    throw new Error(
      'Password must contain uppercase, lowercase, digit, and special character'
    );
  }

  return true;
}
```

### Typescript (1 rules)

- **Weak Password Policy** [HIGH]: Detects password validation that lacks proper complexity requirements, making accounts vulnerable to brute force attacks.
  - Remediation: Implement strong password requirements:

```javascript
// ✅ SAFE - Strong password policy
function validatePassword(password) {
  if (password.length < 12) {
    throw new Error('Password must be at least 12 characters');
  }

  const hasUppercase = /[A-Z]/.test(password);
  const hasLowercase = /[a-z]/.test(password);
  const hasDigit = /\d/.test(password);
  const hasSpecial = /[!@#$%^&*(),.?":{}|<>]/.test(password);

  if (!hasUppercase || !hasLowercase || !hasDigit || !hasSpecial) {
    throw new Error(
      'Password must contain uppercase, lowercase, digit, and special character'
    );
  }

  return true;
}
```