I am using crack lib to check password strength for my web application. However, I’m concerned about whether or not my current implementation is secure.
The user enters a password, which is then their run through the following node.js code:
var checkPassword = exec('echo "'+password+ '"| cracklib-check\n', function(err, stdout, stderr) {
if (stderr) {
reject(stderr);
} else if (err) {
reject(err);
} else if (stdout) {
resolve(stdout);
} else {
reject('Password Validation Failed');
}
});
because the password is being concatenated into the command, it seems like an attack as possible, Kind of like SQL injection. Is this approach secure, and if not, how do I fix it? If I were to blacklist double quotes, would that avoid all potential issues?