CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-262: Not Using Password Aging

 
Not Using Password Aging
Weakness ID: 262 (Weakness Variant)Status: Draft
+ Description

Description Summary

If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Gain privileges / assume identity

As passwords age, the probability that they are compromised grows.

+ Likelihood of Exploit

Very Low

+ Demonstrative Examples

Example 1

A common example is not having a system to terminate old employee accounts.

Example 2

Not having a system for enforcing the changing of passwords every certain period.

+ Potential Mitigations

Phase: Architecture and Design

The recommendation that users change their passwords regularly and do not reuse passwords is universal among security experts. In order to enforce this, it is useful to have a password aging mechanism that notifies users when passwords are considered old and that requests that they replace them with new, strong passwords. In order for this functionality to be useful, however, it must be accompanied with documentation which stresses how important this practice is and which makes the entire process as simple as possible for the user.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory255Credentials Management
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class287Improper Authentication
Research Concepts (primary)1000
ChildOfWeakness BaseWeakness Base404Improper Resource Shutdown or Release
Research Concepts1000
ChildOfCategoryCategory898SFP Cluster: Authentication
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness BaseWeakness Base263Password Aging with Long Expiration
Research Concepts1000
PeerOfWeakness BaseWeakness Base309Use of Password System for Primary Authentication
Research Concepts1000
PeerOfWeakness BaseWeakness Base324Use of a Key Past its Expiration Date
Research Concepts1000
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPNot allowing password aging
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 19: Use of Weak Password-Based Systems." Page 279. McGraw-Hill. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08MITREInternal
updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2011-03-29MITREInternal
updated Relationships
2011-06-01MITREInternal
updated Common_Consequences
2011-06-27MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated References, Relationships
2014-06-23MITREInternal
updated Other_Notes, Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Not Allowing Password Aging
Page Last Updated: June 23, 2014