CWE-309: Use of Password System for Primary Authentication

ID CWE-309

Abstraction Base

Structure Simple

Status Draft

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

Modes of Introduction

Phase	Note
Architecture and Design

Applicable Platforms

Type	Class	Name	Prevalence
Language	Not Language-Specific

Relationships

View			Weakness
# ID	View	Status	# ID	Name	Abstraction	Structure	Status
CWE-1000	Research Concepts	Draft	CWE-1390	Weak Authentication	Class	Simple	Incomplete
CWE-1000	Research Concepts	Draft	CWE-654	Reliance on a Single Factor in a Security Decision	Base	Simple	Draft
CWE-1000	Research Concepts	Draft	CWE-308	Use of Single-factor Authentication	Base	Simple	Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPEC™) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org

# ID	Name	Weaknesses
CAPEC-16	Dictionary-based Password Attack	CWE-309
CAPEC-49	Password Brute Forcing	CWE-309
CAPEC-55	Rainbow Table Password Cracking	CWE-309
CAPEC-70	Try Common or Default Usernames and Passwords	CWE-309
CAPEC-509	Kerberoasting	CWE-309
CAPEC-555	Remote Services with Stolen Credentials	CWE-309
CAPEC-560	Use of Known Domain Credentials	CWE-309
CAPEC-561	Windows Admin Shares with Stolen Credentials	CWE-309
CAPEC-565	Password Spraying	CWE-309
CAPEC-600	Credential Stuffing	CWE-309
CAPEC-652	Use of Known Kerberos Credentials	CWE-309
CAPEC-653	Use of Known Operating System Credentials	CWE-309