[Forgot Password]
Login  Register Subscribe

25354

 
 

132811

 
 

144584

 
 

909

 
 

116218

 
 

156

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Weak Password Requirements

ID: 521Date: (C)2012-05-14   (M)2020-04-28
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Extended Description

An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Gain privileges / assume identity
 
An attacker could easily guess user passwords and gain access user accounts.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Enforce usage of strong passwords. A password strength policy should contain the following attributes:

 
  
Architecture and Design
 
 Authentication mechanisms should always require sufficiently complex passwords and require that they be periodically changed.
 
  

Relationships

Related CWETypeViewChain
CWE-521 ChildOf CWE-898 Category CWE-888  

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
Anonymous Tool Vendor (under NDA)  
 
 
OWASP Top Ten 2004 A3
 
Broken Authentication and Session Management
 
CWE_More_Specific
 

References:

  1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 19: Use of Weak Password-Based Systems." Page 279'. Published on 2010.
CVE    39
CVE-2018-19064
CVE-2018-1372
CVE-2020-11966
CVE-2019-6558
...

© SecPod Technologies