Weak credential policy - Temporary passwords - Elixir

Weak credential policy - Temporary passwords - Elixir

Need

To prevent unauthorized account access due to weak temporary passwords, which can be easily compromised.

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Comeonin package for password hashing

Description

Non compliant code

        defmodule MyAppWeb.UserController do
  use MyAppWeb, :controller

  def create_temporary_password(conn, %{"username" => username}) do
    temporary_password = "password123"
    hashed_password = Comeonin.Bcrypt.hashpwsalt(temporary_password)
    # ... rest of the code
  end
end
        
        

In this insecure code, the application assigns a static, weak temporary password for all users who request it. This can lead to an attacker easily guessing the temporary password.

Steps

  • Generate a strong, random temporary password for each user request.
  • The temporary password should be a certain length, contain a mix of uppercase and lowercase letters, numbers, and special characters.
  • The temporary password should be unique for each request.

Compliant code

        defmodule MyAppWeb.UserController do
  use MyAppWeb, :controller

  def create_temporary_password(conn, %{"username" => username}) do
    temporary_password = :crypto.strong_rand_bytes(12) |> Base.encode64 |> binary_part(0, 12)
    hashed_password = Comeonin.Bcrypt.hashpwsalt(temporary_password)
    # ... rest of the code
  end
end
        
        

In the secure code, the application generates a strong, random temporary password for each user request. This prevents an attacker from easily guessing the temporary password.

References