Peter Chen created FINERACT-2127:
------------------------------------
Summary: Weak Password Policy
Key: FINERACT-2127
URL: https://issues.apache.org/jira/browse/FINERACT-2127
Project: Apache Fineract
Issue Type: Bug
Components: Client, Security
Reporter: Peter Chen
h2. Description
The application does not require that users should have strong passwords, which
makes it easier for attackers to compromise user accounts.
h2. Impact Details
The vulnerability may allow an attacker to guess users’ passwords and gain
unauthorized access to the application.
h2. Reproduction Steps
1- Login at [https://openmf.github.io/web-app/] or https://demo.mifos.io
2- Visit the {{Users}} section located in the {{Admin}} dropdown.
3- Click on {{{}Create User{}}}, fill all the details and make sure to user a
weak password ({{{}ex: read{}}})
4- Forward the request and notice the user has been created with weak password
i.e {{{}read{}}}.
Notice you have been successfully logged in with the above mentioned credentials
note: backend must also enforce the password policy
h2.
h2. Remediation Advice
Enforce a strong password policy. Don't permit weak passwords or passwords
based on dictionary words.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
