{"skill":{"slug":"password-policy-auditor","displayName":"Password Policy Auditor","summary":"Audit password policies and authentication configurations for security compliance. Check password complexity, storage (hashing algorithms), rotation policies...","description":"---\nname: password-policy-auditor\ndescription: Audit password policies and authentication configurations for security compliance. Check password complexity, storage (hashing algorithms), rotation policies, MFA coverage, account lockout, and compliance with NIST 800-63, OWASP, and PCI-DSS guidelines.\n---\n\n# Password Policy Auditor\n\nAudit your authentication system against modern security standards. Check password complexity rules, storage practices (bcrypt vs MD5), MFA adoption, account lockout policies, and compliance with NIST 800-63B, OWASP ASVS, and PCI-DSS — then generate a remediation plan.\n\nUse when: \"audit password policy\", \"is our auth secure\", \"password security review\", \"NIST compliance\", \"MFA audit\", \"authentication hardening\", \"are we storing passwords safely\", or before security assessments.\n\n## Commands\n\n### 1. `audit` — Full Authentication Audit\n\n#### Step 1: Check Password Hashing\n\n```bash\n# Find password hashing in code\nrg \"bcrypt|argon2|scrypt|pbkdf2|sha256|sha512|md5|hashlib\" \\\n  --type-not binary -g '!node_modules' -g '!vendor' -g '!*.test.*' 2>/dev/null\n\n# Check for plaintext password storage\nrg -i \"password.*=.*['\\\"]|password.*store|INSERT.*password\" \\\n  --type-not binary -g '!node_modules' -g '!vendor' -g '!*.test.*' 2>/dev/null\n```\n\nRate the hashing algorithm:\n| Algorithm | Rating | Notes |\n|-----------|--------|-------|\n| Argon2id | 🟢 Best | Memory-hard, recommended by OWASP |\n| bcrypt | 🟢 Good | Time-tested, work factor ≥ 12 |\n| scrypt | 🟢 Good | Memory-hard alternative |\n| PBKDF2 | 🟡 Acceptable | Needs ≥ 600K iterations (OWASP 2023) |\n| SHA-256/512 + salt | 🔴 Weak | Too fast for password hashing |\n| MD5 | 🔴 Critical | Broken, must migrate immediately |\n| Plaintext | 🔴 Critical | Unacceptable in any context |\n\n#### Step 2: Check Password Policy Configuration\n\n```bash\n# Find password validation rules\nrg \"password.*length|min.*password|password.*policy|password.*validation|password.*strength\" \\\n  --type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null\n\n# Check for complexity requirements\nrg \"uppercase|lowercase|digit|special.*char|complexity\" \\\n  --type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null\n```\n\nEvaluate against NIST SP 800-63B (2024):\n\n| Requirement | NIST Recommendation | Status |\n|-------------|-------------------|--------|\n| Minimum length | ≥ 8 characters (15+ recommended) | Check |\n| Maximum length | ≥ 64 characters | Check |\n| Complexity rules | NOT required (users pick bad passwords with forced complexity) | Check |\n| Breached password check | REQUIRED — check against known breach lists | Check |\n| Password rotation | NOT required (only on evidence of compromise) | Check |\n| Password hints | NOT allowed | Check |\n| Knowledge-based auth | NOT recommended (mother's maiden name, etc.) | Check |\n\n#### Step 3: Check Account Security Features\n\n```bash\n# MFA implementation\nrg \"totp|2fa|mfa|authenticator|otp|two.factor\" \\\n  --type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null\n\n# Account lockout\nrg \"lockout|lock.*account|failed.*attempt|max.*attempt|brute.force\" \\\n  --type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null\n\n# Rate limiting on auth endpoints\nrg \"rate.limit|throttle|login.*limit\" \\\n  --type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null\n\n# Session management\nrg \"session.*timeout|session.*expire|max.*session|concurrent.*session\" \\\n  --type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null\n```\n\n#### Step 4: Check for Breached Passwords\n\n```bash\n# HaveIBeenPwned k-Anonymity API (safe, only sends hash prefix)\npython3 -c \"\nimport hashlib, requests\npassword = 'password123'\nsha1 = hashlib.sha1(password.encode()).hexdigest().upper()\nprefix, suffix = sha1[:5], sha1[5:]\nresp = requests.get(f'https://api.pwnedpasswords.com/range/{prefix}')\nfor line in resp.text.splitlines():\n    h, count = line.split(':')\n    if h == suffix:\n        print(f'🔴 Password found in {count} breaches!')\n        break\nelse:\n    print('✅ Password not found in known breaches')\n\"\n```\n\n#### Step 5: Generate Report\n\n```markdown\n# Password Policy Audit Report\n\n## Overall Score: 62/100 (⚠️ Needs Improvement)\n\n## Password Storage\n- Algorithm: bcrypt ✅\n- Work factor: 10 (🟡 recommend ≥ 12)\n- Salt: automatic (bcrypt built-in) ✅\n- No plaintext storage found ✅\n\n## Password Policy\n| Rule | Current | NIST 800-63B | OWASP | Status |\n|------|---------|-------------|--------|--------|\n| Min length | 8 | ≥ 8 (15+ recommended) | ≥ 8 | 🟡 |\n| Max length | 50 | ≥ 64 | ≥ 128 | ❌ Increase to 128 |\n| Complexity | Required | Not required | Not required | 🟡 Remove |\n| Breach check | ❌ None | Required | Required | ❌ Add HIBP check |\n| Rotation | 90 days | Not required | Not required | 🟡 Remove forced rotation |\n\n## Account Security\n- MFA: Available but not enforced (23% adoption) ⚠️\n- Account lockout: After 5 failures, 30 min lock ✅\n- Rate limiting on /login: 10 req/min/IP ✅\n- Session timeout: 24 hours (🟡 consider 8h for sensitive apps)\n- Concurrent sessions: Unlimited (🟡 consider limiting)\n\n## Critical Issues\n1. 🔴 No breached password checking — users can set `password123`\n2. 🔴 Max password length only 50 chars — blocks passphrase users\n3. 🟡 bcrypt work factor 10 — increase to 12 (rehash on login)\n4. 🟡 MFA not enforced for admin accounts\n\n## Remediation Plan\n1. Implement HIBP breach check on registration and password change\n2. Increase max password length to 128\n3. Remove complexity requirements (per NIST)\n4. Remove forced 90-day rotation (per NIST)\n5. Enforce MFA for all admin/privileged accounts\n6. Increase bcrypt rounds to 12 (transparent rehash on next login)\n```\n\n### 2. `compliance` — Map to Specific Standard\n\nGenerate compliance checklist for:\n- **NIST SP 800-63B** — Digital Identity Guidelines\n- **OWASP ASVS v4** — Application Security Verification\n- **PCI-DSS v4** — Payment Card Industry\n- **SOC 2** — Service Organization Controls\n- **ISO 27001** — Information Security Management\n\n### 3. `migrate` — Plan Password Hash Migration\n\nIf using weak hashing (MD5, SHA-256), generate migration plan:\n- Wrap existing hash with bcrypt (dual-hash during transition)\n- Rehash on next successful login\n- Force password reset for accounts not logged in within N months\n- Preserve audit trail of migration status\n","topics":["Policy"],"tags":{"latest":"1.0.0"},"stats":{"comments":0,"downloads":367,"installsAllTime":14,"installsCurrent":0,"stars":0,"versions":1},"createdAt":1777632230251,"updatedAt":1778492821950},"latestVersion":{"version":"1.0.0","createdAt":1777632230251,"changelog":"Initial release of password-policy-auditor\n\n- Audits password policies and authentication configurations for security compliance.\n- Checks password storage practices, complexity requirements, MFA implementation, and policy enforcement.\n- Evaluates compliance with NIST 800-63, OWASP, and PCI-DSS guidelines.\n- Provides automated commands and code snippets for auditing codebases.\n- Generates actionable audit reports and remediation plans.\n- Includes compliance checklists and migration guidance for weak password hashing.","license":"MIT-0"},"metadata":null,"owner":{"handle":"charlie-morrison","userId":"s17cttbdxry5kkyafjw983mq8s83p4y3","displayName":"charlie-morrison","image":"https://avatars.githubusercontent.com/u/271589886?v=4"},"moderation":null}