CWE-309: Use of Password System for Primary Authentication
ID
CWE-309
Abstraction
Base
Structure
Simple
Status
Draft
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
Modes of Introduction
Phase | Note |
---|---|
Architecture and Design |
Applicable Platforms
Type | Class | Name | Prevalence |
---|---|---|---|
Language | Not Language-Specific |
Relationships
View | Weakness | |||||||
---|---|---|---|---|---|---|---|---|
# ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
CWE-1000 | Research Concepts | Draft | CWE-1390 | Weak Authentication | Class | Simple | Incomplete | |
CWE-1000 | Research Concepts | Draft | CWE-654 | Reliance on a Single Factor in a Security Decision | Base | Simple | Draft | |
CWE-1000 | Research Concepts | Draft | CWE-308 | Use of Single-factor Authentication | Base | Simple | Draft |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org# ID | Name | Weaknesses |
---|---|---|
CAPEC-16 | Dictionary-based Password Attack | CWE-309 |
CAPEC-49 | Password Brute Forcing | CWE-309 |
CAPEC-55 | Rainbow Table Password Cracking | CWE-309 |
CAPEC-70 | Try Common or Default Usernames and Passwords | CWE-309 |
CAPEC-509 | Kerberoasting | CWE-309 |
CAPEC-555 | Remote Services with Stolen Credentials | CWE-309 |
CAPEC-560 | Use of Known Domain Credentials | CWE-309 |
CAPEC-561 | Windows Admin Shares with Stolen Credentials | CWE-309 |
CAPEC-565 | Password Spraying | CWE-309 |
CAPEC-600 | Credential Stuffing | CWE-309 |
CAPEC-652 | Use of Known Kerberos Credentials | CWE-309 |
CAPEC-653 | Use of Known Operating System Credentials | CWE-309 |
Loading...