Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.4.104
-
None
Description
Description:
The application currently does not provide the means for application administrators to enforce strong password policies. Without strong password policies, it is highly likely that end users will select weak passwords and the application will allow the use of these weak passwords. If usability requirements dictate allowing of weaker passwords, it is still desirable for certain JSPWiki administrators to have this configurable option of enforcing certain password policies. Currently the only enforcement in place is that the password can not be null or be that of the username.
Recommendation:
Consider implementing the capability to allow for JSPWiki administrators the capability to enforce stronger password complexity policies. For example, consider password length, character enforcement rules dictating special characters, etc.
Related Code Locations:
1 findings:
Name: com.ecyrd.jspwiki.auth.UserManager.validateProfile(com.ecyrd.jspwiki.WikiContext;com.ecyrd.jspwiki.auth.user.UserProfile):void
Type: Vulnerability.Authentication
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
Line / Col: 425 / 0
Context: password . java.lang.String.equals ( password2 )
-----------------------------------