Read Time:1 Minute, 6 Second
Description
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Related Weaknesses
CWE-287
CWE-654
CWE-308
Consequences
Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity
A password authentication mechanism error will almost always result in attackers being authorized as valid users.
Potential Mitigations
Phase: Architecture and Design
Description:
Phase: Architecture and Design
Description:
Use a zero-knowledge password protocol, such as SRP.
Phase: Architecture and Design
Description:
Ensure that passwords are stored safely and are not reversible.
Phase: Architecture and Design
Description:
Implement password aging functionality that requires passwords be changed after a certain point.
Phase: Architecture and Design
Description:
Use a mechanism for determining the strength of a password and notify the user of weak password use.
Phase: Architecture and Design
Description:
Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.
CVE References
