Documents  Decision Records  Risks SECR-003: Brute-Forceable Passwords

SECR-003: Brute-Forceable Passwords

1 Status

Date Status
03-07-2026 Identified

2 Threat

An attacker gains a user account by trying common passwords against the login endpoint.

3 Vulnerability

No password policy is enforced and the login endpoint neither rate-limits nor locks out repeated failures.

4 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 CVSS Score

7.5

6 Mitigation

Not yet defined; candidate controls are a minimum-length policy checked against a breached-password list, and exponential back-off on failed logins.

7 Monitoring

Failed-login counts per account are graphed on the operations dashboard.