001_0004 - StrongPasswordPolicy

Strong password policy

Ensure minimum password length of at least 8 characters and must use all character classes.

Metadata

authors:
- Xiwen Cheng <x@cinaq.com>
category: Security
input: Security$ProjectSecurity.yaml
priority: 5
rulename: StrongPasswordPolicy
rulenumber: '001_0004'
scope: package
severity: HIGH

Description

Bruteforce is quite common. Ensure passwords are very strong.

Remediation

Ensure minimum password length of at least 8 characters and must use all character classes.

Test cases

package app.mendix.project_settings.strong_password
import rego.v1

# Test cases
test_allow if {
    allow with input as {
        "PasswordPolicySettings": {
            "MinimumLength": 9,
            "RequireDigit": true,
            "RequireSymbol": true,
            "RequireMixedCase": true,
        }
    }
}

test_no_allow_password_length if {
    not allow with input as {
        "PasswordPolicySettings": {
            "MinimumLength": 3,
            "RequireDigit": true,
            "RequireSymbol": true,
            "RequireMixedCase": true,
        }
    }
}

test_no_allow_simple if {
    not allow with input as {
        "PasswordPolicySettings": {
            "MinimumLength": 3,
            "RequireDigit": false,
            "RequireSymbol": true,
            "RequireMixedCase": false,
        }
    }
}