Weak Password Policy
detect, understand, remediate
Weak password policies permit short or simple passwords that are easily guessed or cracked through brute-force, dictionary, or credential stuffing attacks.
No credit card required. Free plan available forever.
What is a weak password policy?
A weak password policy is a set of authentication rules that fails to enforce sufficient password complexity, length, or rotation requirements. When applications accept short, simple, or commonly-used passwords, attackers can compromise accounts through brute-force attacks, credential stuffing, or dictionary attacks in seconds to minutes.
Modern computing power and readily available password cracking tools mean that an 8-character password with no complexity requirements can be cracked almost instantly. Combined with the widespread reuse of passwords across services, a weak policy on one application can lead to breaches across an entire ecosystem of accounts.
Effective password policies go beyond minimum length and complexity. They include checks against databases of breached passwords, enforcement of multi-factor authentication, and support for password managers to encourage unique, strong credentials for every account.
How it works
Weak passwords accepted
The application allows users to set passwords like "password123" or "admin" that appear in every common password wordlist.
Attacker targets accounts
Using credential stuffing lists or brute-force tools, the attacker systematically tests common passwords against user accounts.
Credentials compromised
Weak passwords are cracked within seconds. Reused passwords from other breaches grant immediate access without any cracking needed.
Account takeover
The attacker gains full access to the account, potentially escalating privileges, exfiltrating data, or pivoting to other systems.
Common causes
Low minimum length requirements
Allowing passwords as short as 6 or 8 characters dramatically reduces the search space an attacker needs to brute-force.
No complexity requirements
Not requiring a mix of uppercase, lowercase, numbers, and special characters makes passwords vulnerable to simple dictionary attacks.
No breach database checks
Failing to check new passwords against databases of previously breached credentials allows users to set passwords already known to attackers.
No MFA requirement
Without multi-factor authentication, a compromised password is the only barrier between an attacker and full account access.
How to detect it
Automated detection
- SecPortal's authenticated scanner tests registration and password change forms for minimum length and complexity enforcement
- Configuration audits check for password policy settings in authentication services and identity providers
- Code scanning identifies password validation logic and flags policies that fall below recommended thresholds
Manual testing
- Attempt to register or change passwords using common weak passwords (e.g. "password", "123456", "qwerty")
- Test minimum length enforcement by submitting progressively shorter passwords
- Verify that previously breached passwords are rejected and that MFA enrollment is available or enforced
How to fix it
Enforce 12+ character minimum length
Longer passwords exponentially increase the time required for brute-force attacks. A 12-character minimum provides a strong baseline.
Check against breached password databases
Use services like Have I Been Pwned's API to reject passwords that have appeared in known data breaches.
Implement multi-factor authentication
Require MFA for all accounts, especially those with elevated privileges. TOTP, hardware keys, or push notifications add a critical second layer.
Encourage password manager usage
Support long, randomly generated passwords by removing arbitrary maximum length limits and allowing all character types.
Monitor for credential stuffing
Implement anomaly detection to identify and block automated login attempts using lists of breached credentials.
Compliance impact
Assess password policy strength
SecPortal evaluates authentication mechanisms including password policies, lockout controls, and MFA. Start free.
No credit card required. Free plan available forever.