If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.
Time of Introduction
Architecture and Design
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Access Control
Technical Impact: Gain privileges / assume
identity
As passwords age, the probability that they are compromised
grows.
Likelihood of Exploit
Very Low
Demonstrative Examples
Example 1
A common example is not having a system to terminate old employee
accounts.
Example 2
Not having a system for enforcing the changing of passwords every
certain period.
Potential Mitigations
Phase: Architecture and Design
Ensure that password aging functionality is added to the design of the
system, including an alert previous to the time the password is
considered obsolete, and useful information for the user concerning the
importance of password renewal, and the method.
Other Notes
The recommendation that users change their passwords regularly and do not
reuse passwords is universal among security experts. In order to enforce
this, it is useful to have a mechanism that notifies users when passwords
are considered old and that requests that they replace them with new, strong
passwords. In order for this functionality to be useful, however, it must be
accompanied with documentation which stresses how important this practice is
and which makes the entire process as simple as possible for the user.
[REF-17] Michael Howard, David LeBlanc
and John Viega. "24 Deadly Sins of Software Security". "Sin 19: Use of Weak Password-Based Systems." Page
279. McGraw-Hill. 2010.
Description
