{"@ID": "521", "@Name": "Weak Password Requirements", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-521-Diagram.png", "Description": "The product does not require that users should have strong passwords.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1391", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "287", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}}, "Background_Details": {"Background_Detail": "Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism."}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design", "Note": "COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic."}, {"Phase": "Implementation", "Note": "Not enforcing the password policy stated in a products design can allow users to create passwords that do not provide the necessary level of protection."}]}, "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": "Gain Privileges or Assume Identity", "Note": "An attacker could easily guess user passwords and gain access user accounts."}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": {"xhtml:p": ["A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:", "Depending on the threat model, the password policy may include several additional attributes.", "See NIST 800-63B [REF-1053] for further information on password requirements."], "xhtml:ul": [{"xhtml:li": ["Enforcement of a minimum and maximum length", "Restrictions against password reuse", "Restrictions against using common passwords", "Restrictions against using contextual string in the password (e.g., user id, app name)"]}, {"xhtml:li": [{"xhtml:ul": {"xhtml:li": ["Increasing the range of characters makes the password harder to crack and may be appropriate for systems relying on single factor authentication.", "Unfortunately, a complex password may be difficult to memorize, encouraging a user to select a short password or to incorrectly manage the password (write it down).", "Another disadvantage of this approach is that it often does not result in a significant increases in overal password complexity due to people's predictable usage of various symbols."]}, "#text": "Complex passwords requiring mixed character sets (alpha, numeric, special, mixed case)"}, {"xhtml:ul": {"xhtml:li": ["Increasing the number of characters makes the password harder to crack and may be appropriate for systems relying on single factor authentication.", "A disadvantage of this approach is that selecting a good passphrase is not easy and poor passwords can still be generated. Some prompting may be needed to encourage long un-predictable passwords."]}, "#text": "Large Minimum Length (encouraging passphrases instead of passwords)"}, {"xhtml:ul": {"xhtml:li": ["Generating a password for the user can help make sure that length and complexity requirements are met, and can result in secure passwords being used.", "A disadvantage of this approach is that the resulting password or passpharse may be too difficult to memorize, encouraging them to be written down."]}, "#text": "Randomly Chosen Secrets"}]}]}}, {"Phase": "Architecture and Design", "Description": "Consider a second\n                 authentication factor beyond the password, which prevents the\n                 password from being a single point of failure. See CWE-308 for\n                 further information."}, {"Phase": "Implementation", "Description": "Consider implementing a password complexity meter to inform users when a chosen password meets the required attributes."}, {"Phase": "Implementation", "Description": "Previously, \"password expiration\" was\n\t\t\t   widely advocated as a defense-in-depth approach to\n\t\t\t   minimize the risk of weak passwords, and it has become\n\t\t\t   a common practice.  Password expiration requires a\n\t\t\t   password to be changed within a fixed time window (such\n\t\t\t   as every 90 days).  However, this approach has\n\t\t\t   significant limitations in the current threat\n\t\t\t   landscape, and its utility has been reduced in light of\n\t\t\t   the adoption of related protection mechanisms (such as\n\t\t\t   password complexity and computational effort), along\n\t\t\t   with the recognition that regular password changes\n\t\t\t   often caused users to generate more predictable\n\t\t\t   passwords. As a result, this is now a Discouraged\n\t\t\t   Common Practice [REF-1488] [REF-1489], especially as\n\t\t\t   the sole factor in protecting passwords. It is still\n\t\t\t   strongly encouraged to force password changes in case\n\t\t\t   of evidence of compromise, but this is not the same as\n\t\t\t   a forced \"expiration\" on an arbitrary time\n\t\t\t   frame.", "Effectiveness": "Discouraged Common Practice"}]}, "Observed_Examples": {"Observed_Example": {"Reference": "CVE-2020-4574", "Description": "key server application does not require strong passwords", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-4574"}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A3", "Entry_Name": "Broken Authentication and Session Management", "Mapping_Fit": "CWE More Specific"}}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "112"}, {"@CAPEC_ID": "16"}, {"@CAPEC_ID": "49"}, {"@CAPEC_ID": "509"}, {"@CAPEC_ID": "55"}, {"@CAPEC_ID": "555"}, {"@CAPEC_ID": "561"}, {"@CAPEC_ID": "565"}, {"@CAPEC_ID": "70"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-44", "@Section": "\"Sin 19: Use of Weak Password-Based Systems.\" Page 279"}, {"@External_Reference_ID": "REF-1053", "@Section": "Sections: 5.1.1, 10.2.1, and Appendix A"}, {"@External_Reference_ID": "REF-1488", "@Section": "8.1.2.1. Passwords"}, {"@External_Reference_ID": "REF-1489", "@Section": "Tip 2: Help users cope with password overload"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "Anonymous Tool Vendor (under NDA)", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Organization": "Veracode", "Modification_Date": "2008-08-15", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "Suggested OWASP Top Ten 2004 mapping"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Description, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Potential_Mitigations, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Common_Consequences, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Modes_of_Introduction, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, Description, Modes_of_Introduction, Potential_Mitigations, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Observed_Examples, Potential_Mitigations, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Potential_Mitigations, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Background_Details, Description, Diagram, Potential_Mitigations, Relationships, Weakness_Ordinalities"}], "Contribution": {"@Type": "Feedback", "Contribution_Name": "Camille Gouttebroze", "Contribution_Organization": "CAST Software", "Contribution_Date": "2025-03-17", "Contribution_Version": "4.18", "Contribution_ReleaseDate": "2025-09-09", "Contribution_Comment": "suggested removal of password expiration as an acceptable mitigation and provided references"}}}
