High Severity
🟠 Weak Password Policy
🧠 Description
Application allows weak passwords or has insufficient password complexity requirements. Attackers can easily crack passwords using dictionary attacks or brute force.
Impact: Account Takeover, Credential Stuffing, Data Breach
🎯 Attack Surface
- User registration
- Password change
- Password reset
- Admin accounts
🔍 Detection
Test password policy by trying weak passwords:
123456
password
admin123
qwerty
111111
password1
🛡️ Mitigation
✅ Require minimum 12 characters
✅ Require uppercase, lowercase, numbers, special chars
✅ Check against known compromised passwords (HaveIBeenPwned)
✅ Enforce password rotation for privileged accounts
✅ Require uppercase, lowercase, numbers, special chars
✅ Check against known compromised passwords (HaveIBeenPwned)
✅ Enforce password rotation for privileged accounts