Not Using Password AgingID: 262 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
If no mechanism is in place for managing password aging, users
will have no incentive to update passwords in a timely
manner.
Likelihood of Exploit: Very Low
Applicable PlatformsLanguage Class: All
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Gain privileges / assume
identity | As passwords age, the probability that they are compromised
grows. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Ensure that password aging functionality is added to the design of the
system, including an alert previous to the time the password is
considered obsolete, and useful information for the user concerning the
importance of password renewal, and the method. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-262 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative Examples (Details)
- A common example is not having a system to terminate old employee
accounts.
- Not having a system for enforcing the changing of passwords every
certain period.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CLASP | | Not allowing password aging | |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 19: Use of Weak Password-Based Systems." Page
279'. Published on 2010.