back
loading skill details...
Audit password policies and authentication configurations for security compliance. Check password complexity, storage (hashing algorithms), rotation policies...
---
name: password-policy-auditor
description: Audit password policies and authentication configurations for security compliance. Check password complexity, storage (hashing algorithms), rotation policies, MFA coverage, account lockout, and compliance with NIST 800-63, OWASP, and PCI-DSS guidelines.
---
# Password Policy Auditor
Audit your authentication system against modern security standards. Check password complexity rules, storage practices (bcrypt vs MD5), MFA adoption, account lockout policies, and compliance with NIST 800-63B, OWASP ASVS, and PCI-DSS โ then generate a remediation plan.
Use when: "audit password policy", "is our auth secure", "password security review", "NIST compliance", "MFA audit", "authentication hardening", "are we storing passwords safely", or before security assessments.
## Commands
### 1. `audit` โ Full Authentication Audit
#### Step 1: Check Password Hashing
```bash
# Find password hashing in code
rg "bcrypt|argon2|scrypt|pbkdf2|sha256|sha512|md5|hashlib" \
--type-not binary -g '!node_modules' -g '!vendor' -g '!*.test.*' 2>/dev/null
# Check for plaintext password storage
rg -i "password.*=.*['\"]|password.*store|INSERT.*password" \
--type-not binary -g '!node_modules' -g '!vendor' -g '!*.test.*' 2>/dev/null
```
Rate the hashing algorithm:
| Algorithm | Rating | Notes |
|-----------|--------|-------|
| Argon2id | ๐ข Best | Memory-hard, recommended by OWASP |
| bcrypt | ๐ข Good | Time-tested, work factor โฅ 12 |
| scrypt | ๐ข Good | Memory-hard alternative |
| PBKDF2 | ๐ก Acceptable | Needs โฅ 600K iterations (OWASP 2023) |
| SHA-256/512 + salt | ๐ด Weak | Too fast for password hashing |
| MD5 | ๐ด Critical | Broken, must migrate immediately |
| Plaintext | ๐ด Critical | Unacceptable in any context |
#### Step 2: Check Password Policy Configuration
```bash
# Find password validation rules
rg "password.*length|min.*password|password.*policy|password.*validation|password.*strength" \
--type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null
# Check for complexity requirements
rg "uppercase|lowercase|digit|special.*char|complexity" \
--type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null
```
Evaluate against NIST SP 800-63B (2024):
| Requirement | NIST Recommendation | Status |
|-------------|-------------------|--------|
| Minimum length | โฅ 8 characters (15+ recommended) | Check |
| Maximum length | โฅ 64 characters | Check |
| Complexity rules | NOT required (users pick bad passwords with forced complexity) | Check |
| Breached password check | REQUIRED โ check against known breach lists | Check |
| Password rotation | NOT required (only on evidence of compromise) | Check |
| Password hints | NOT allowed | Check |
| Knowledge-based auth | NOT recommended (mother's maiden name, etc.) | Check |
#### Step 3: Check Account Security Features
```bash
# MFA implementation
rg "totp|2fa|mfa|authenticator|otp|two.factor" \
--type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null
# Account lockout
rg "lockout|lock.*account|failed.*attempt|max.*attempt|brute.force" \
--type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null
# Rate limiting on auth endpoints
rg "rate.limit|throttle|login.*limit" \
--type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null
# Session management
rg "session.*timeout|session.*expire|max.*session|concurrent.*session" \
--type-not binary -g '!node_modules' -g '!vendor' 2>/dev/null
```
#### Step 4: Check for Breached Passwords
```bash
# HaveIBeenPwned k-Anonymity API (safe, only sends hash prefix)
python3 -c "
import hashlib, requests
password = 'password123'
sha1 = hashlib.sha1(password.encode()).hexdigest().upper()
prefix, suffix = sha1[:5], sha1[5:]
resp = requests.get(f'https://api.pwnedpasswords.com/range/{prefix}')
for line in resp.text.splitlines():
h, count = line.split(':')
if h == suffix:
print(f'๐ด Password found in {count} breaches!')
break
else:
print('โ
Password not found in known breaches')
"
```
#### Step 5: Generate Report
```markdown
# Password Policy Audit Report
## Overall Score: 62/100 (โ ๏ธ Needs Improvement)
## Password Storage
- Algorithm: bcrypt โ
- Work factor: 10 (๐ก recommend โฅ 12)
- Salt: automatic (bcrypt built-in) โ
- No plaintext storage found โ
## Password Policy
| Rule | Current | NIST 800-63B | OWASP | Status |
|------|---------|-------------|--------|--------|
| Min length | 8 | โฅ 8 (15+ recommended) | โฅ 8 | ๐ก |
| Max length | 50 | โฅ 64 | โฅ 128 | โ Increase to 128 |
| Complexity | Required | Not required | Not required | ๐ก Remove |
| Breach check | โ None | Required | Required | โ Add HIBP check |
| Rotation | 90 days | Not required | Not required | ๐ก Remove forced rotation |
## Account Security
- MFA: Available but not enforced (23% adoption) โ ๏ธ
- Account lockout: After 5 failures, 30 min lock โ
- Rate limiting on /login: 10 req/min/IP โ
- Session timeout: 24 hours (๐ก consider 8h for sensitive apps)
- Concurrent sessions: Unlimited (๐ก consider limiting)
## Critical Issues
1. ๐ด No breached password checking โ users can set `password123`
2. ๐ด Max password length only 50 chars โ blocks passphrase users
3. ๐ก bcrypt work factor 10 โ increase to 12 (rehash on login)
4. ๐ก MFA not enforced for admin accounts
## Remediation Plan
1. Implement HIBP breach check on registration and password change
2. Increase max password length to 128
3. Remove complexity requirements (per NIST)
4. Remove forced 90-day rotation (per NIST)
5. Enforce MFA for all admin/privileged accounts
6. Increase bcrypt rounds to 12 (transparent rehash on next login)
```
### 2. `compliance` โ Map to Specific Standard
Generate compliance checklist for:
- **NIST SP 800-63B** โ Digital Identity Guidelines
- **OWASP ASVS v4** โ Application Security Verification
- **PCI-DSS v4** โ Payment Card Industry
- **SOC 2** โ Service Organization Controls
- **ISO 27001** โ Information Security Management
### 3. `migrate` โ Plan Password Hash Migration
If using weak hashing (MD5, SHA-256), generate migration plan:
- Wrap existing hash with bcrypt (dual-hash during transition)
- Rehash on next successful login
- Force password reset for accounts not logged in within N months
- Preserve audit trail of migration status
don't have the plugin yet? install it then click "run inline in claude" again.