CWE

Use of Password System for Primary Authentication

ID: 309		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Base

Description

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

Likelihood of Exploit: Very High

Applicable Platforms
Language Class: All

Time Of Introduction

• Architecture and Design

Common Consequences

Scope	Technical Impact	Notes
Access_Control	Bypass protection mechanism Gain privileges / assume identity	A password authentication mechanism error will almost always result in attackers being authorized as valid users.

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Architecture and Design		In order to protect password systems from compromise, the following should be noted:
Architecture and Design		Use a zero-knowledge password protocol, such as SRP.
Architecture and Design		Ensure that passwords are stored safely and are not reversible.
Architecture and Design		Implement password aging functionality that requires passwords be changed after a certain point.
Architecture and Design		Use a mechanism for determining the strength of a password and notify the user of weak password use.
Architecture and Design		Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.

Relationships

Related CWE	Type	View	Chain
CWE-309 ChildOf CWE-898	Category	CWE-888

Demonstrative Examples   (Details)

1. In both of these examples, a user is logged in if their given password matches a stored password: (Demonstrative Example Id DX-101)

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
CLASP		Using password systems
OWASP Top Ten 2004	A3	Broken Authentication and Session Management	CWE_More_Specific

References:
None