CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Weak Password Requirements [CWE-521]

This weakness described a case where application implements a poor password policy allowing users to create short or very simple passwords.

Created: June 11, 2018

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. Vulnerability Remediation Techniques and Examples
  8. References

1. Description

The weakness occurs when the application does not check complexity or minimum length of the provided passwords. Entire security of application depends on its authentication mechanism. Weak password requirements allow users to create weak passwords, susceptible to a verity of attacks.

2. Potential impact

The vulnerability may allow an attacker to guess users’ passwords and gain unauthorized access to the application.

3. Attack patterns

The following attack patterns can be used to exploit cleartext storage of sensitive information according to CAPEC (Common Attack Pattern Enumeration and Classification) classification:

4. Affected software

This vulnerability arises in application that require user authentication.

5. Severity and CVSS Scoring

Severity of this vulnerability depends on the application functionality and privileges of the user account with weak password. In case of modern web applications weak password for administrative account can lead to web application or even system compromise. In such case, the vulnerability is considered critical with CVSSv3 score 8.1:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6. Mitigations

When dealing with web applications, it is advices to provide an additional level of authentication (e.g. HTTP Basic authentication) for administrative user accounts in case where password policy management or source code modification is not possible. It is also recommended to restrict access to administrative interface to a list of trusted IP addresses only.

7. Vulnerability Remediation Techniques and Examples

It is recommended to always demand usage of strong passwords. A strong password should contain lower- and upper-case characters, digits, special symbols and be at least 8 characters long.

8. References

  1. CWE-521: Weak Password Requirements [cwe.mitre.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk