Is a password pattern validator a security vulnerability?

Example: Your password must contain a at leastlowercase char and uppercase , a special character, a number and a sequence between 10 and 50 characters.

CodePudding user response：

Please have a look into OWASP Application Security Verification Standard available here: https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP Application Security Verification Standard 4.0.3-en.pdf

You will find there requirements like:

2.1.9: Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.

The OWASP standard reflects our best practices around application security. You can see that there should be no password validator in a modern system. It's not a vulnerability, it's just old fashioned.

But the standards says also:

2.1.8: Verify that a password strength meter is provided to help users set a stronger password.

2.1.7: Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password.

So modern systems should provide something else.