detect-weak-password-validation
Detects weak password length requirements (less than 8 characters) in validation code.
Keywords: password policy, weak password, CWE-521, authentication, password length, security
Detects weak password length requirements (less than 8 characters) in validation code.
⚠️ This rule errors by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-521 (Weak Password Requirements) |
| OWASP | A07:2021 Identification and Authentication Failures |
| Severity | Critical |
| Category | Security |
Rule Details
Weak password requirements allow attackers to easily brute-force or guess user credentials. This rule detects password length checks that are too permissive (less than 8 characters).
Modern security standards recommend minimum 12 characters with complexity requirements.
Examples
❌ Incorrect
// Too short - easily brute-forced
if (password.length >= 4) {
return true;
}
// Still too weak
if (pwd.length > 5) {
acceptPassword();
}
// Exact match is weak
if (pass.length === 6) {
// Accept password
}✅ Correct
// NIST minimum recommendation
if (password.length >= 8) {
return validateComplexity(password);
}
// Better - 12+ characters
if (password.length >= 12) {
return true;
}
// Best - use a password validation library
import { zxcvbn } from 'zxcvbn';
const result = zxcvbn(password);
if (result.score >= 3) {
return true;
}Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
⚠️ CWE-521 OWASP:A07 CVSS:5.3 | Weak Password Requirements detected | MEDIUM
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A07_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-521 OWASP:A07 CVSS:5.3 |
| Issue Description | Specific vulnerability | Weak Password Requirements detected |
| Severity & Compliance | Impact assessment | MEDIUM |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Configuration-Based Length
Why: Length values from configuration are not traced.
// ❌ NOT DETECTED - Config value
const minLength = config.passwordMinLength; // Could be 4!
if (password.length >= minLength) {
}Mitigation: Audit configuration files separately.
Validation in External Functions
Why: Password validation in helper functions not analyzed.
// ❌ NOT DETECTED - External validator
validatePassword(password); // May have weak internal checksMitigation: Apply rule to all password validation code.
Non-Standard Variable Names
Why: Only detects variables containing "password", "pwd", or "pass".
// ❌ NOT DETECTED - Non-standard naming
if (userCredential.length >= 4) {
}
if (secretInput.length >= 4) {
}Mitigation: Use consistent naming conventions.
When Not To Use It
- When using a dedicated password validation library (zxcvbn, password-validator)
- In test files mocking password validation
- When the length check is combined with other complexity requirements
Further Reading
Related Rules
- no-hardcoded-credentials (in eslint-plugin-pg)
- no-client-side-auth-logic
Category: Security
Type: Problem
Recommended: Yes