The application allows users to set weak passwords that do not meet security best practices, making accounts susceptible to brute force and credential stuffing attacks.
Weak passwords can be easily guessed or cracked, leading to unauthorized account access, data breaches, and potential privilege escalation.
Enforce minimum password length of 12+ characters. Require a mix of uppercase, lowercase, numbers, and special characters. Implement password breach checking against known compromised passwords. Consider implementing passwordless authentication.