Strong password policy is not found to be implemented

Impact of the Vulnerability

The lack of a strong password policy can lead to:

• Increased risk of account compromise: Weak passwords are easy targets for attackers using automated tools or leaked credential databases.
• Data breaches: Once inside an account, attackers can access personal information, transaction history, or admin-level controls.
• Privilege escalation: If administrative accounts are compromised, attackers may gain wider control of the system.
• Regulatory non-compliance: Weak password controls can result in violations of security standards like ISO 27001, PCI-DSS, HIPAA, or GDPR.
• Reputational damage: A breach caused by poor password practices reflects badly on organizational security and user trust.

How to Fix and Prevent the Vulnerability

Enforce Strong Password Requirements

Ensure users create passwords that meet minimum complexity standards:

• Minimum length: at least 8 to 12 characters
• Include uppercase letters, lowercase letters, numbers, and special characters
• Block common or breached passwords using password lists or by comparing hashes with known compromised passwords

Implement Password Expiry and History Rules

Require users to change passwords regularly, for example, every 90 days for sensitive accounts.

Prevent reuse of previously used passwords.

Enforce Client and Server Side Validation

Implement password strength checks on the client side, providing feedback to users, and on the server side to ensure compliance with the policy, regardless of client behavior.

Apply the Policy to All Entry Points

Make sure the strong password policy is enforced on:

• Registration forms
• Login and change password forms
• Password reset pages
• API endpoints for mobile or third-party integrations