CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-521: Weak Password Requirements

 
Weak Password Requirements
Weakness ID: 521 (Weakness Base)Status: Draft
+ Description

Description Summary

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Extended Description

An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences
ScopeEffect

Technical Impact: Gain privileges / assume identity

An attacker could easily guess user passwords and gain access user accounts.

+ Potential Mitigations

Phase: Architecture and Design

Enforce usage of strong passwords. A password strength policy should contain the following attributes:

  1. Minimum and maximum length;

  2. Require mixed character sets (alpha, numeric, special, mixed case);

  3. Do not contain user name;

  4. Expiration;

  5. No password reuse.

Phase: Architecture and Design

Authentication mechanisms should always require sufficiently complex passwords and require that they be periodically changed.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory255Credentials Management
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class287Improper Authentication
Research Concepts (primary)1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory898SFP Cluster: Authentication
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant258Empty Password in Configuration File
Research Concepts1000
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
Anonymous Tool Vendor (under NDA)
OWASP Top Ten 2004A3Broken Authentication and Session Management
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 19: Use of Weak Password-Based Systems." Page 279. McGraw-Hill. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-08-15VeracodeExternal
Suggested OWASP Top Ten 2004 mapping
2008-09-08MITREInternal
updated Description, Relationships, Taxonomy_Mappings
2009-05-27MITREInternal
updated Related_Attack_Patterns
2011-03-29MITREInternal
updated Potential_Mitigations, Relationships
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Common_Consequences, References, Relationships
Page Last Updated: June 23, 2014