2

Recently I started new work, and going through documentation and code to understand what company is doing. While doing that, I noticed there is logged number of special characters in his password.

Personally, I don't think it is good idea as disclose some information regarding password, especially for users who didn't used any special characters. From other hand, this issue wasn't picked up by pen testers.

I was wonder, is it me being too paranoiac and this is not a real issue, or it is a issue which was overlooked during pentesting.

user902383
  • 258
  • 1
  • 9
  • 3
    What is the purpose of this feature? What does the system do with the number of special characters? –  Mar 25 '20 at 14:27
  • 2
    How would logging criteria get picked up in *pentesting*? Pentests only cover a specific and niche testing set. Just because you pass a pentest ***does not mean that you are secure***. – schroeder Mar 25 '20 at 14:46
  • @MechMK1 To be fair, I don't know. All what I see it is being passed to logging mechanism. Don't have idea what is happening with them further. Given that, it was quite high log level, my guess is it will be recorded somewhere. – user902383 Mar 25 '20 at 15:24
  • does the log is stored in the database or somewhere else? – kelalaka Mar 25 '20 at 21:52

1 Answers1

3

You have two separate questions here:

Is logging number of special characters in password a bad idea?

I would say that is a bad practice. Off the top of my head, if an attacker is trying to brute-force / crack your users' password hashes, then knowing the number of special characters gives the attacker the following advantages:

  • It reduces the number of brute-force guesses because they only need to build a dictionary of candidate passwords with exactly that number of special characters. I won't do the math here, but see this answer of mine for an idea of how much that might reduce the effort. How critical is it to keep your password length secret?

  • It tells the attacker which users are "low-hanging fruit". IE who has a weak password and should be attacked first.

So yes, I agree this is a bad practice. I really can't imagine what legitimate reason there is to log this information ... ? I could see maybe someone put the log statements in while debugging the Change Password feature, but those logs statements should almost certainly be turned off in production.


Your other question:

From other hand, this issue wasn't picked up by pen testers.

To second @schroeder, pentests are usually very limited in scope (what they're allowed to look at / report on), limited in time (how long they have access to the system for), and limited in domain knowledge of your application (specifically where to look or poke). So a pentest report should be read as a measure of how easy it is to find issues, not as a complete list of issues.

If a specific issue was not mentioned by the pentesters, that may mean that A) they found it and it's not as issue, or B) they found it and that specific tester thought it was ok but a different tester would have reported it, or C) they didn't find it in the time / scope given.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207