Cracked weak credentials - Go

Cracked weak credentials - Go

Need

Enhancement of password security measures

Context

  • Usage of Go 1.16 for developing scalable and efficient applications
  • Usage of gin-gonic/gin for building web applications in Go
  • Usage of bcrypt from golang.org/x/crypto for secure password hashing in Golang

Description

Non compliant code

        package main

import (
	"github.com/gin-gonic/gin"
	"golang.org/x/crypto/bcrypt"
)

func main() {
	r := gin.Default()

	r.POST("/register", func(c *gin.Context) {
		username := c.PostForm("username")
		password := c.PostForm("password")

		hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
		
		// Storing the hashed password in the database
		// db.StoreUser(username, string(hashedPassword))
	})

	r.Run()
}

In this code snippet, we are using the Go bcrypt package to hash a user's password before storing it in a database. The bcrypt package provides a function called GenerateFromPassword that hashes a password.

The problem in this code is with the cost factor that we are using. The cost factor is a numerical value that determines how secure the hashed password will be. The higher the cost, the more secure the hash.

In our case, we are using bcrypt.MinCost which is the minimum possible cost and results in the least secure hash. This low-cost factor means that the hashes stored in the database are not complex and can be cracked easily. This is a significant vulnerability as it allows an attacker to more easily crack the hashed passwords if they gain access to the database.

Steps

  • Use a stronger hashing algorithm for password storage, such as Argon2 or scrypt.
  • Increase the cost factor for the bcrypt algorithm to make it more computationally expensive to crack the passwords.
  • Implement a password policy that enforces strong passwords with a minimum length and complexity requirements.
  • Implement account lockout mechanisms to prevent brute-force attacks.
  • Consider using multi-factor authentication to add an extra layer of security.
  • Regularly update and patch the application and its dependencies to ensure any security vulnerabilities are addressed.

Compliant code

        package main

import (
	"github.com/gin-gonic/gin"
	"golang.org/x/crypto/bcrypt"
)

func main() {
	r := gin.Default()

	r.POST("/register", func(c *gin.Context) {
		username := c.PostForm("username")
		password := c.PostForm("password")

		// Increase the cost factor for bcrypt to make it more computationally expensive
		hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
		
		// Storing the hashed password in the database
		// db.StoreUser(username, string(hashedPassword))
	})

	r.Run()
}

The updated code increases the cost factor for the bcrypt hashing algorithm from bcrypt.MinCost to bcrypt.DefaultCost. This makes the hashing process more computationally expensive, thereby increasing the time and resources required to crack the passwords.

This is a crucial step in mitigating the risk of weak credentials being cracked. However, it's important to note that this alone may not be sufficient to fully secure the application. Other measures such as implementing a strong password policy, account lockout mechanisms, multi-factor authentication, and regular updates and patches should also be considered.

References