CWE

Password Aging with Long Expiration

ID: 263		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Base

Description

Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.

Extended Description

Just as neglecting to include functionality for the management of password aging is dangerous, so is allowing password aging to continue unchecked. Passwords must be given a maximum life span, after which a user is required to update with a new and different password.

Likelihood of Exploit: Very Low

Applicable Platforms
Language Class: All

Time Of Introduction

• Architecture and Design

Related Attack Patterns

• CAPEC-16
• CAPEC-49
• CAPEC-55
• CAPEC-70

Common Consequences

Scope	Technical Impact	Notes
Access_Control	Gain privileges / assume identity	As passwords age, the probability that they are compromised grows.

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Architecture and Design		Ensure that password aging is limited so that there is a defined maximum age for passwords and so that the user is notified several times leading up to the password expiration.

Relationships

Related CWE	Type	View	Chain
CWE-263 ChildOf CWE-898	Category	CWE-888

Demonstrative Examples   (Details)

1. A common example is not having a system to terminate old employee accounts.
2. Not having a system for enforcing the changing of passwords every certain period.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
CLASP		Allowing password aging

References:

1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 19: Use of Weak Password-Based Systems." Page 279'. Published on 2010.