CWE-521: Weak Password Requirements
Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism.
Modes of Introduction
Phase | Note |
---|---|
Architecture and Design | COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. |
Implementation | Not enforcing the password policy stated in a products design can allow users to create passwords that do not provide the necessary level of protection. |
Applicable Platforms
Type | Class | Name | Prevalence |
---|---|---|---|
Language | Not Language-Specific | ||
Technology | Not Technology-Specific |
Relationships
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org# ID | Name | Weaknesses |
---|---|---|
CAPEC-16 | Dictionary-based Password Attack | CWE-521 |
CAPEC-49 | Password Brute Forcing | CWE-521 |
CAPEC-55 | Rainbow Table Password Cracking | CWE-521 |
CAPEC-70 | Try Common or Default Usernames and Passwords | CWE-521 |
CAPEC-112 | Brute Force | CWE-521 |
CAPEC-509 | Kerberoasting | CWE-521 |
CAPEC-555 | Remote Services with Stolen Credentials | CWE-521 |
CAPEC-561 | Windows Admin Shares with Stolen Credentials | CWE-521 |
CAPEC-565 | Password Spraying | CWE-521 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |