Need

Enhancement of credential policy for temporary passwords

Context

• Usage of Scala for building scalable and high-performance applications
• Usage of Play Framework for building web applications in Scala or Java
• Usage of play.api.mvc for handling HTTP requests and building web applications in Play Framework
• Usage of java.util.UUID for generating unique identifiers

Description

Non compliant code

        package controllers

import play.api._
import play.api.mvc._
import java.util.UUID

class Application extends Controller {
  def generateTempPassword = Action {
    val tempPassword = UUID.randomUUID().toString.substring(0, 5)
    Ok(tempPassword)
  }
}
        
        

The above Scala code represents a simple Play Framework controller that generates a temporary password for a user. The generateTempPassword function generates a random UUID and then takes the first 5 characters to create a temporary password.

The vulnerability here is that the temporary password generated is not strong enough. It only uses 5 alphanumeric characters, which means it can be easily cracked by brute force attacks. The UUID generation also does not take into consideration the need for a mixture of uppercase, lowercase, numbers, and special characters, which further weakens the security of the temporary password.

In addition, the temporary password is returned directly in the HTTP response, which could be intercepted and read by an attacker if the connection is not secure.

Steps

• Implement a strong password policy for temporary passwords.
• Ensure that temporary passwords are randomly generated and not easily guessable.
• Enforce a minimum length requirement for temporary passwords.
• Include a combination of uppercase and lowercase letters, numbers, and special characters in temporary passwords.
• Implement a mechanism to expire temporary passwords after a certain period of time.
• Store temporary passwords securely, such as using a secure hashing algorithm.
• Consider implementing multi-factor authentication for temporary passwords, if applicable.
• Regularly review and update the temporary password policy to adapt to evolving security threats.

Compliant code

        package controllers

import play.api._
import play.api.mvc._
import java.security.SecureRandom
import java.util.Base64

class Application extends Controller {
  private val secureRandom = new SecureRandom()
  
  def generateTempPassword = Action {
    val tempPassword = generateSecurePassword()
    Ok(tempPassword)
  }

  private def generateSecurePassword(): String = {
    val randomBytes = new Array[Byte](24)
    secureRandom.nextBytes(randomBytes)
    val encoder = Base64.getUrlEncoder.withoutPadding()
    val tempPassword = encoder.encodeToString(randomBytes)
    tempPassword
  }
}
        
        

The previous code was generating temporary passwords using UUID and taking a substring of it, which is not secure enough. The new code generates a secure temporary password using SecureRandom and Base64 encoding.

Here's a breakdown of the changes:

- A SecureRandom instance is created. This provides a cryptographically strong random number generator.
- The generateTempPassword method now calls a new private method generateSecurePassword.
- The generateSecurePassword method generates a byte array of length 24, fills it with random bytes from secureRandom, and then encodes it to a string using URL-safe Base64 encoding. This results in a 32-character string that includes a mix of uppercase and lowercase letters and numbers, and is very unlikely to be guessed.

This is a significant improvement over the previous password generation method, but it's still important to enforce a strong password policy. This includes requiring users to change their temporary password after first use, and regularly updating the password policy to adapt to evolving security threats.

References

• 364. Weak credential policy - Temporary passwords