SCP03 Authentication and Password Management

What this means

SiteShadow flagged authentication and password handling patterns that are weak, inconsistent, or easy to bypass (weak password storage, missing MFA/lockouts, insecure reset flows, over-trusting client state).

Why it matters

Weak authentication enables account takeover and credential abuse.

Credential stuffing and brute-force attacks succeed when rate limits/lockouts are missing.
Offline cracking succeeds when passwords are stored with fast/unsalted hashes (see CWE-916 / CWE-759).
Account recovery abuse can be worse than login if reset tokens are weak.

Safer examples

1) Store passwords with a password hashing algorithm

import bcrypt

pw_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())

2) Rate limit and lock out repeated failures

Limit by user and IP; add progressive delays for repeated failures (see RATE01-02 / CWE-799).

3) Make reset tokens high-entropy and short-lived

Use CSPRNG tokens, single-use, expiry, and bind to the account.

How SiteShadow detects it (high level)

Detects weak password storage patterns and risky auth flows (reset/verify tokens, missing lockouts).
Flags authentication decisions relying on untrusted client input.

References

OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/

---

← Back to Vulnerability Library

Request access View coverage