Password authentication should be checked against brute force attacks
Klocwork reports a CXX.SV.PWD_INPUT.REVIEW defect when password authentication is used in applications. Designers can review the defects to ensure that their company authentication policy is enforced.
Vulnerability and risk
Not limiting unsuccessful password authentication attempts can lead to brute force attacks. Hackers could try to find a user’s password by repeatedly trying new passwords. The possibility of doing multiple authentication attempts without limiting it can lead to unauthorized access to the application.
Mitigation and prevention
Review password authentication process to ensure that it conforms with your company's authentication policy. Klocwork recommends in general to limit unsuccessful authentication to a maximum of three attempts within a 15-minute interval. After three attempts, the user account should be locked.
Vulnerable code example
editPassword = new QLineEdit();
QString password = editPassword->text();
Klocwork reports a CXX.SV.PWD_INPUT.REVIEW defect on line 6 since a password field is identified on line 5. It is the role of the reviewer to ensure that this password matches the policy of the application for unsuccessful authentication attempts.
- CWE-307: Improper Restriction of Excessive Authentication Attempts
- OWASP A2:2021 Cryptographic Failures
- OWASP A7:2021 Identification and Authentication Failures
- STIG-ID:V-222432 (APSC-DV-000530): The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
Application security training materials provided by Secure Code Warrior.