CWE-262: Not Using Password Aging
Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. Without mechanisms such as aging, users might not change their passwords in a timely manner.
Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).
Modes of Introduction
| Phase | Note |
|---|---|
| Architecture and Design | COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Language | Not Language-Specific |
Relationships
| View | Weakness | |||||||
|---|---|---|---|---|---|---|---|---|
| # ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
| CWE-1000 | Research Concepts | Draft | CWE-1390 | Weak Authentication | Class | Simple | Incomplete | |
| CWE-1000 | Research Concepts | Draft | CWE-309 | Use of Password System for Primary Authentication | Base | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-324 | Use of a Key Past its Expiration Date | Base | Simple | Draft | |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-16 | Dictionary-based Password Attack | CWE-262 |
| CAPEC-49 | Password Brute Forcing | CWE-262 |
| CAPEC-55 | Rainbow Table Password Cracking | CWE-262 |
| CAPEC-70 | Try Common or Default Usernames and Passwords | CWE-262 |
| CAPEC-509 | Kerberoasting | CWE-262 |
| CAPEC-555 | Remote Services with Stolen Credentials | CWE-262 |
| CAPEC-560 | Use of Known Domain Credentials | CWE-262 |
| CAPEC-561 | Windows Admin Shares with Stolen Credentials | CWE-262 |
| CAPEC-565 | Password Spraying | CWE-262 |
| CAPEC-600 | Credential Stuffing | CWE-262 |
| CAPEC-652 | Use of Known Kerberos Credentials | CWE-262 |
| CAPEC-653 | Use of Known Operating System Credentials | CWE-262 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |