# Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

**Stack:** Python

- Prevalence: 높음 자주 악용됨
- Impact: 높음 3개의 높은 심각도 규칙
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

Weak password recovery mechanisms can be exploited to take over user accounts. Common issues include predictable reset tokens, security questions with easily guessable answers, or lack of verification.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 Weak Password Recovery 예방 전략.

### Python

Use the secrets module for cryptographically secure token generation

## Warning Signs

- [HIGH] password reset tokens generated using weak or predictable methods like timestamps or non-cryptograph

## Consequences

- 권한 획득
- 보호 메커니즘 우회

## Mitigations

- 비밀번호 재설정 링크에는 강력하고 임의의 토큰을 사용하세요
- 토큰 만료를 구현하세요(예: 1시간)
- 이메일이나 SMS 등 추가 인증을 요구하세요
- 기록될 수 있는 URL에 재설정 토큰을 노출하지 마세요

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Weak Password Reset Token** [HIGH]: Detects password reset tokens generated using weak or predictable methods like timestamps or non-cryptographic random.
  - Remediation: Use the secrets module for cryptographically secure token generation.

```python
import secrets
token = secrets.token_urlsafe(32)
```

Learn more: https://shoulder.dev/learn/python/cwe-640/weak-password-reset-token