Weak Password Requirements| ID: 521 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The product does not require that users should have strong
passwords, which makes it easier for attackers to compromise user
accounts.
Extended DescriptionAn authentication mechanism is only as strong as its credentials. For this
reason, it is important to require users to have strong passwords. Lack of
password complexity significantly reduces the search space when trying to
guess user's passwords, making brute-force attacks easier.
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Gain privileges / assume
identity | An attacker could easily guess user passwords and gain access user
accounts. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Enforce usage of strong passwords. A password strength policy should
contain the following attributes: | | |
| Architecture and Design | | Authentication mechanisms should always require sufficiently complex
passwords and require that they be periodically changed. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-521 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| Anonymous Tool Vendor (under NDA) | | | |
| OWASP Top Ten 2004 | A3 | Broken Authentication and Session
Management | CWE_More_Specific |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 19: Use of Weak Password-Based Systems." Page
279'. Published on 2010.
