1. Home
  2. Weaknesses
  3. CWE-263

CWE-263: Password Aging with Long Expiration

ID CWE-263
Abstraction Base
Structure Simple
Status Draft
Number of CVEs 1
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product supports password aging, but the expiration period is too long.

Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. A long expiration provides more time for attackers to conduct password cracking before users are forced to change to a new password.

Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).

Modes of Introduction

Phase Note
Architecture and Design COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-1390 Weak Authentication Class Simple Incomplete

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-16 Dictionary-based Password Attack CWE-263
CAPEC-49 Password Brute Forcing CWE-263
CAPEC-55 Rainbow Table Password Cracking CWE-263
CAPEC-70 Try Common or Default Usernames and Passwords CWE-263
CAPEC-509 Kerberoasting CWE-263
CAPEC-555 Remote Services with Stolen Credentials CWE-263
CAPEC-560 Use of Known Domain Credentials CWE-263
CAPEC-561 Windows Admin Shares with Stolen Credentials CWE-263
CAPEC-565 Password Spraying CWE-263
CAPEC-600 Credential Stuffing CWE-263
CAPEC-652 Use of Known Kerberos Credentials CWE-263
CAPEC-653 Use of Known Operating System Credentials CWE-263

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date