Weak Password Requirements
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-521: Weak Password Requirements |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Setting a user’s password to an empty string (’’) instead of None or using set_unusable_password() leaves the account with a blank but valid password. This makes it possible for anyone to log in without a password.
Impact#
If exploited, attackers could gain unauthorized access to user accounts simply by submitting an empty password. This exposes sensitive user data and can compromise the security of the entire application.