CWE-309 – Use of Password System for Primary Authentication

Read Time:1 Minute, 6 Second

Description

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-287
CWE-654
CWE-308

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

A password authentication mechanism error will almost always result in attackers being authorized as valid users.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Use a zero-knowledge password protocol, such as SRP.

Phase: Architecture and Design

Description: 

Ensure that passwords are stored safely and are not reversible.

Phase: Architecture and Design

Description: 

Implement password aging functionality that requires passwords be changed after a certain point.

Phase: Architecture and Design

Description: 

Use a mechanism for determining the strength of a password and notify the user of weak password use.

Phase: Architecture and Design

Description: 

Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.

CVE References