CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-549: Missing Password Field Masking

 
Missing Password Field Masking
Weakness ID: 549 (Weakness Variant)Status: Draft
+ Description

Description Summary

The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
+ Time of Introduction
  • Implementation
+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Bypass protection mechanism

+ Potential Mitigations

Phases: Implementation; Requirements

Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory255Credentials Management
Development Concepts (primary)699
ChildOfCategoryCategory355User Interface Security Issues
Development Concepts699
ChildOfWeakness BaseWeakness Base522Insufficiently Protected Credentials
Research Concepts (primary)1000
ChildOfCategoryCategory995SFP Secondary Cluster: Feature
Software Fault Pattern (SFP) Clusters (primary)888
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 19: Use of Weak Password-Based Systems." Page 279. McGraw-Hill. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings
2009-07-27CWE Content TeamMITREInternal
updated Relationships
2011-03-29CWE Content TeamMITREInternal
updated Description
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-06-23CWE Content TeamMITREInternal
updated Other_Notes
2014-07-30CWE Content TeamMITREInternal
updated Relationships
Page Last Updated: July 30, 2014