Issues » Forgot Password generates weak password

Issue: SI-17
Date: Apr 21, 2014, 4:45:00 AM
Severity: Critical
Requires Admin Access: No
Fix Version: 2.5.4
Credit: it.sec GmbH & Co. KG – Hans-Martin Münch & Markus Piéton
Description:

The vulnerabilities in the user account management allow attackers to circumvent the access controls by brute-forcing weak passwords and using default users to gain possible access to administrative interface. The implementation of the password reset function allows a attacker to reset passwords and brute-force the newly set passwords easily without requiring access to the user’s mail address.

Mitigation:

Dotcms installations can override the class/toolkit that is responsible for validating password complexity and generating random passwords.  This is a “pluggable” implementaion and the issue with weak password generation can be resolved in a plugin. This can be done by providing a custom class and changing the system property to use it:

passwords.toolkit=com.liferay.portal.pwd.RegExpToolkit

 

We agree that the default “random” password is too weak and will update the class accordingly.  Additionally, the system user should not be able to authenticate ever, which will be fixed as well.

Workaround: many of our customers who have custom password security requirements authenticate their user accounts with LDAP or AD systems and leverage the security those systems can provide when enforcing password rules or securing user passwords.