The application allows the use of weak passwords that are easily guessable and commonly found in breach or compromise databases. Examples of such weak passwords include "Admin@123", "Password@123", “Reset@123”, and "Test@123", etc.
While Front End password validation rule is implemented but this can be easily bypassed using specialized tools (like burp suite) and Backend will accept weak passwords. This looks like an OTB behaviour.
We propose adobe commerce implement a feature which will do the following:
- Blacklist to prevent commonly used or compromised passwords in the backend against a know set. Also, enforce the password rules at the backend.
- Periodically review the policy to align with current security standards and monitor for weak or suspicious passwords to further mitigate risks via cron.