Weak Password Requirements (CWE-521) - Security Vulnerability

Weak Password Requirements

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Without strong password requirements, users often choose weak, easily guessable passwords. This makes brute-force and dictionary attacks more likely to succeed.

普遍性

高

频繁被利用

影响

高

1 条严重级别为高的规则

预防

已记录

2 个修复示例

2 预防

如何修复此漏洞

基于 2 条 Shoulder 检测规则的 Weak Password Requirements 预防策略。

🐹 Go 查看全部 Go 详情 →

Weak Password Policy MEDIUM

Enforce minimum 12-character passwords with complexity requirements

+14 -2 go

  func validatePassword(password string) error {
-     if len(password) < 6 {
-         return errors.New("too short")
+     if len(password) < 12 {
+         return errors.New("password must be at least 12 characters")
+     }
+     var hasUpper, hasLower, hasDigit, hasSpecial bool
+     for _, c := range password {
+         switch {
+         case unicode.IsUpper(c):  hasUpper = true
+         case unicode.IsLower(c):  hasLower = true
+         case unicode.IsDigit(c):  hasDigit = true
+         case unicode.IsPunct(c) || unicode.IsSymbol(c): hasSpecial = true
+         }
+     }
+     if !hasUpper || !hasLower || !hasDigit || !hasSpecial {
+         return errors.New("password must include upper, lower, digit, and special char")
      }
      return nil
  }

🟨 JavaScript 查看全部 JavaScript 详情 →

Weak Password Policy HIGH

Require minimum 12 characters with complexity checks or use a password strength library

+4 -2 javascript

- if (password.length < 6) {
-   throw new Error('Password too short');
+ const zxcvbn = require('zxcvbn');
+ 
+ if (password.length < 12 || zxcvbn(password).score < 3) {
+   throw new Error('Password too weak');
  }

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Weak Password Requirements模式。 2 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=521

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (2)

🐹 Go 1 rules

Weak Password Policy MEDIUM

Password validation requires fewer than 8 characters.

🟨 Javascript 1 rules

Weak Password Policy HIGH

Detects password validation that lacks proper complexity requirements, making accounts vulnerable to brute force attacks.

🔷 Typescript 1 rules

Weak Password Policy HIGH

Detects password validation that lacks proper complexity requirements, making accounts vulnerable to brute force attacks.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Weak Password Requirements漏洞。在代码审查和安全审计中注意查找。

🟠

Password validation at ... lacks proper complexity requirements javascript-weak-password-policy

🟠

password validation that lacks proper complexity requirements, making accounts vulnerable to brute f javascript-weak-password-policy

🔍

扫描你的代码库: Weak Password Requirements

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则