Use of Password System for Primary AuthenticationID: 309 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The use of password systems as the primary means of
authentication may be subject to several flaws or shortcomings, each reducing
the effectiveness of the mechanism.
Likelihood of Exploit: Very High
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Bypass protection
mechanismGain privileges / assume
identity | A password authentication mechanism error will almost always result in
attackers being authorized as valid users. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | In order to protect password systems from compromise, the following
should be noted: | | |
Architecture and Design | | Use a zero-knowledge password protocol, such as SRP. | | |
Architecture and Design | | Ensure that passwords are stored safely and are not reversible. | | |
Architecture and Design | | Implement password aging functionality that requires passwords be
changed after a certain point. | | |
Architecture and Design | | Use a mechanism for determining the strength of a password and notify
the user of weak password use. | | |
Architecture and Design | | Inform the user of why password protections are in place, how they
work to protect data integrity, and why it is important to heed their
warnings. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-309 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In both of these examples, a user is logged in if their given
password matches a stored password: (Demonstrative Example Id DX-101)
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CLASP | | Using password systems | |
OWASP Top Ten 2004 | A3 | Broken Authentication and Session
Management | CWE_More_Specific |
References:None