Weak credential policy - Temporary passwords - Ruby

Weak credential policy - Temporary passwords - Ruby

Need

Enhancement of temporary password security policies

Context

  • Usage of Ruby 2.7 for developing Ruby applications
  • Usage of Rails for building web applications

Description

Non compliant code

        class UsersController < ApplicationController
  def reset_password
    @user = User.find(params[:id])
    @user.password = 'password123'
    @user.save!
    redirect_to @user
  end
end
        
        

The vulnerable code above is a reset_password method in the UsersController class. The method is responsible for resetting user's passwords. However, the vulnerability lies in the fact that the new password is a hardcoded string 'password123' which is weak and does not follow any strong password policy.

In this scenario, when a user requests for a password reset, the system assigns a weak, easily guessable password 'password123' to the user's account. This makes the user's account highly susceptible to brute force attacks as the attacker can easily guess the password.

Moreover, the same temporary password is assigned to every user who requests a password reset, which means if an attacker compromises one account, they can potentially access any other account that has had its password reset.

In addition, there is no mechanism in place to force the user to change this temporary password immediately after logging in, which means the user might continue using this weak password, further increasing the risk of their account being compromised.

Steps

  • Implement a strong password policy that enforces complexity requirements such as minimum length, use of uppercase and lowercase letters, numbers, and special characters.
  • Generate a random and secure temporary password instead of using a static password like 'password123'.
  • Ensure that the temporary password is only valid for a limited period of time and expires after a certain duration.
  • Encrypt the temporary password before storing it in the database to protect it from unauthorized access.
  • Implement a secure password reset mechanism that requires additional verification steps, such as sending a verification email or using multi-factor authentication.
  • Log all password reset activities for auditing purposes.
  • Regularly review and update the password policy to adapt to evolving security threats and best practices.

Compliant code

        class UsersController < ApplicationController
  require 'securerandom'

  def reset_password
    @user = User.find(params[:id])
    @user.password = generate_temp_password
    @user.password_reset_sent_at = Time.zone.now
    @user.save!
    # Send password reset email
    UserMailer.password_reset(@user).deliver_now
    redirect_to @user
  end

  private

  def generate_temp_password
    SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz')
  end
end
        
        

The updated code now includes a method generate_temp_password that generates a random, secure temporary password using the SecureRandom.base64 method. This method generates a random string of the specified length, in this case 15 characters. The tr method is used to replace certain characters that might be confusing in a password ('+/=lIO0') with others ('pqrsxyz').

The temporary password is then assigned to the user's password field. The time at which the password reset was sent is also recorded in a password_reset_sent_at field. This can be used to implement a policy where the temporary password expires after a certain duration.

After the user's password and password_reset_sent_at fields are updated, the changes are saved to the database using the save! method.

Finally, a password reset email is sent to the user using a hypothetical UserMailer.password_reset method. This method would need to be implemented in your UserMailer class, and would send an email to the user with instructions on how to reset their password.

This approach ensures that the temporary password is both secure and temporary, and that the user is notified of the password reset. It also provides a basis for implementing additional security measures, such as password encryption and expiration, multi-factor authentication, and activity logging.

References