# Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

**Stack:** Go

- Prevalence: 高 頻繁に悪用される
- Impact: ハイ 3 件の重大度ハイのルール
- Prevention: 文書化済み 3 件の修正例

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

Weak password recovery mechanisms can be exploited to take over user accounts. Common issues include predictable reset tokens, security questions with easily guessable answers, or lack of verification.

## Prevention

1 件の Shoulder 検出ルールに基づく Weak Password Recovery の予防策。

### Go

Use crypto/rand with 32+ bytes of entropy for password reset tokens

## Consequences

- 権限の取得
- 保護メカニズムの回避

## Mitigations

- パスワードリセットリンクには強力でランダムなトークンを使用する
- トークンの有効期限を設定する (例: 1 時間)
- メールや SMS など追加の検証を要求する
- ログに残る可能性のある URL にリセットトークンを含めない

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Weak Password Reset Token** [HIGH]: Password reset token uses predictable values like timestamps or math/rand.
  - Remediation: Generate reset tokens using crypto/rand with at least 32 bytes of entropy.

```go
import "crypto/rand"

func generateResetToken() (string, error) {
    b := make([]byte, 32)
    if _, err := rand.Read(b); err != nil {
        return "", err
    }
    return hex.EncodeToString(b), nil
}
```

Learn more: https://shoulder.dev/learn/go/cwe-640/weak-password-reset-token