# Weak Password Policy

- ID: javascript-weak-password-policy
- Severity: HIGH
- CWE: Weak Password Requirements (CWE-521)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nextjs, nodejs

## Description

Detects password validation that lacks proper complexity requirements, making accounts vulnerable to brute force attacks.

## Detection Message

Password validation at {location} lacks proper complexity requirements

## Remediation

Implement strong password requirements:

```javascript
// ✅ SAFE - Strong password policy
function validatePassword(password) {
  if (password.length < 12) {
    throw new Error('Password must be at least 12 characters');
  }

  const hasUppercase = /[A-Z]/.test(password);
  const hasLowercase = /[a-z]/.test(password);
  const hasDigit = /\d/.test(password);
  const hasSpecial = /[!@#$%^&*(),.?":{}|<>]/.test(password);

  if (!hasUppercase || !hasLowercase || !hasDigit || !hasSpecial) {
    throw new Error(
      'Password must contain uppercase, lowercase, digit, and special character'
    );
  }

  return true;
}
```

## Documentation

[object Object]

## Related Rules

- **Weak Password Policy** [MEDIUM]: