The application does not enforce using a strong password, which makes it easier for attackers to find users’ passwords.
To mitigate the risk of easily guessed passwords facilitating unauthorized access there are two solutions: introduce additional authentication controls (i.e. two-factor authentication) or introduce a strong password policy. The simplest and cheapest of these is the introduction of a strong password policy that ensures password length, complexity, reuse and aging; although ideally both of them should be implemented. OWASP
- OWASP: Testing for Weak Password Policy
- OWASP: Brute Force Attack
- OWASP 2017-A2
- OWASP 2021-A7