Security Vulnerability: Weak Password Validation in Admin Setup Wizard Allows Compromised Admin Accounts

[mandar1045]

I've identified a critical security issue in the Rocket.Chat setup wizard where the AdminInfoStep component performs only a basic length check (> 0) for admin passwords, with no enforcement of password strength requirements or user guidance. This flaw could enable administrators to set weak passwords during initial setup, potentially compromising the entire Rocket.Chat installation.

[mandar1045]

Implement client-side password policy validation using the existing PasswordPolicy class, enforcing minimum requirements (e.g., 8 characters, uppercase, lowercase, numbers) while respecting configurable settings. Add user-friendly hints to guide password creation, ensuring backward compatibility and improved security posture.

[smirk-dev]

Excellent catch on this critical security vulnerability! Password strength during admin setup is a critical attack vector. Here's my comprehensive security-focused approach to fix this:

Security Risk Assessment:

1. Current Vulnerability:

   • Length-only check (> 0) is insufficient
   • Admin accounts have maximum privilege
   • Weak passwords enable brute force attacks
   • Affects entire Rocket.Chat installation security

2. Attack Vectors:

   • Dictionary attacks on weak passwords
   • Brute force attempts (no rate limiting in setup)
   • Credential stuffing from data breaches
   • Social engineering with simple passwords

Comprehensive Fix Strategy:

Phase 1: Password Policy Implementation

• Enforce minimum 12 characters (NIST recommendation)
• Require complexity: uppercase + lowercase + numbers + special chars
• Validate against common password lists
• Check against breach databases (Have I Been Pwned API)
• Implement password entropy check

Phase 2: Backend Validation

function validateAdminPassword(password: string): {
  isValid: boolean;
  errors: string[];
} {
  const errors: string[] = [];
  
  // Length check
  if (password.length < 12) {
    errors.push('Password must be at least 12 characters');
  }
  
  // Complexity checks
  if (!/[A-Z]/.test(password)) errors.push('Requires uppercase letter');
  if (!/[a-z]/.test(password)) errors.push('Requires lowercase letter');
  if (!/[0-9]/.test(password)) errors.push('Requires number');
  if (!/[!@#$%^&*]/.test(password)) errors.push('Requires special character');
  
  // Check against common passwords
  if (commonPasswordsList.includes(password.toLowerCase())) {
    errors.push('Password too common, please choose another');
  }
  
  return {
    isValid: errors.length === 0,
    errors
  };
}

Phase 3: Frontend UX Enhancement

• Real-time password strength meter
• Clear requirement indicators
• Helpful error messages
• Password suggestions using zxcvbn library
• Show/hide password toggle

Phase 4: Additional Security Hardening

• Rate limit setup attempts (prevent brute force)
• Log all admin password changes
• Add security questions or 2FA for recovery
• Force password change on first login
• Implement account lockout after failed attempts
• Send security audit log

Phase 5: Testing & Validation

• Test with OWASP password list
• Verify breach database checks work
• Test rate limiting
• Security audit
• Load testing on password validation

Implementation Details:

1. Update AdminInfoStep component:

   • Add real-time validation feedback
   • Implement strength meter
   • Show security requirements checklist

2. Backend (server/methods/addUser.ts):

   • Call validation function
   • Log admin password changes
   • Implement rate limiting

3. Dependencies to add:

   • zxcvbn - password strength estimation
   • check-password-strength - validation library

Security Best Practices:

✅ Never transmit passwords via logs
✅ Always hash passwords server-side
✅ Use bcrypt/argon2 for hashing
✅ Implement account lockout
✅ Log security events
✅ Consider requiring 2FA for admin accounts
✅ Regular security audits

Risk Priority:
This should be CRITICAL/HIGH priority as it affects admin account security at the system initialization level.

Happy to provide detailed implementation code or help with the PR. Security is critical for enterprise installations!