1. Home
  2. Weaknesses
  3. CWE-521

CWE-521: Weak Password Requirements

ID CWE-521
Abstraction Base
Structure Simple
Status Draft
Number of CVEs 191
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism.

Modes of Introduction

Phase Note
Architecture and Design COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.
Implementation Not enforcing the password policy stated in a products design can allow users to create passwords that do not provide the necessary level of protection.

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific
Technology Not Technology-Specific

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-1391 Use of Weak Credentials Class Simple Incomplete
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Incomplete CWE-287 Improper Authentication Class Simple Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-16 Dictionary-based Password Attack CWE-521
CAPEC-49 Password Brute Forcing CWE-521
CAPEC-55 Rainbow Table Password Cracking CWE-521
CAPEC-70 Try Common or Default Usernames and Passwords CWE-521
CAPEC-112 Brute Force CWE-521
CAPEC-509 Kerberoasting CWE-521
CAPEC-555 Remote Services with Stolen Credentials CWE-521
CAPEC-561 Windows Admin Shares with Stolen Credentials CWE-521
CAPEC-565 Password Spraying CWE-521

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date