Need

Enhancement of credential security

Context

• Usage of Python 3 for developing Python applications
• Usage of Django for building web applications in Python

Description

Non compliant code

        from django.contrib.auth.models import User

def create_user(username, password):
    user = User.objects.create_user(username, password=password)
    user.save()
        
        

The above code shows a function create_user in Django that creates a user with a username and password. The User model is a part of Django's authentication system.

In this function, there is no check for password complexity. It accepts any password that the user provides, even if it's a simple or common password. This makes the system vulnerable to brute force attacks.

A brute force attack is a trial-and-error method used to obtain information such as a user password. In this scenario, an attacker attempts to guess the password using all possible combinations until the correct one is found.

The lack of password complexity and strength validation makes the system weak against these attacks, as simple passwords can be guessed more quickly. This vulnerability is known as 'Guessed weak credentials'.

Steps

• Implement a password complexity policy. This should include a minimum length for the password, and requirements for a mix of uppercase and lowercase letters, numbers, and special characters.
• Use a library or built-in Django functionality to enforce this policy when passwords are created or changed.
• Consider implementing a password strength meter to give users real-time feedback on the strength of their password as they type it.
• Implement account lockout policies after a certain number of failed login attempts to protect against brute force attacks.
• Consider using multi-factor authentication for an additional layer of security.

Compliant code

        from django.contrib.auth.models import User
from django.contrib.auth.password_validation import validate_password
from django.core.exceptions import ValidationError

def create_user(username, password):
    try:
        validate_password(password)
        user = User.objects.create_user(username, password=password)
        user.save()
    except ValidationError as e:
        print("Error: ", e)
        
        

The updated code now includes Django's built-in password validation. This validation checks for minimum length, common sequences, numeric sequences, and common passwords.

The validate_password function is used to check the complexity of the password. If the password does not meet the complexity requirements, a ValidationError is raised.

This function is called before creating the user. If the password is not complex enough, the user will not be created and an error message will be printed.

This is a simple way to enforce password complexity rules and protect against brute force attacks. However, for a more robust solution, consider implementing additional measures such as account lockout policies after a certain number of failed login attempts, and multi-factor authentication.

References

• 050. Guessed weak credentials