SYM_PY_0224 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Weak Password Requirements
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-521: Weak Password Requirements |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Setting a user's password to an empty string in Django makes the account easily guessable and insecure. Instead, use None or set_unusable_password() if you want to disable login for that user.
Impact
If a user has an empty string as their password, anyone can log in to their account by submitting a blank password. This can lead to unauthorized access, data breaches, and compromise of user accounts and sensitive information.