Tag Archives: CWE- 521

CWE-521 – Weak Password Requirements

Read Time:1 Minute, 0 Second

Description

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287
CWE-287

 

Consequences

Access Control: Gain Privileges or Assume Identity

An attacker could easily guess user passwords and gain access user accounts.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Consider a second
authentication factor beyond the password, which prevents the
password from being a single point of failure. See CWE-308 for
further information.

Phase: Implementation

Description: 

Consider implementing a password complexity meter to inform users when a chosen password meets the required attributes.

CVE References