Tag Archives: Not Using Password Aging

CWE-262 – Not Using Password Aging

Read Time:57 Second

Description

If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.

Security experts have often recommended that users change their passwords regularly and avoid reusing passwords. Although this can be an effective mitigation, if the expiration window is too short, it can cause users to generate poor or predictable passwords. As such, it is important to discourage creating similar passwords. It is also useful to have a password aging mechanism that notifies users when passwords are considered old and requests that they replace them with new, strong passwords. Companion documentation which stresses how important this practice is can help users understand and better support this approach.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-287
CWE-404
CWE-309
CWE-263
CWE-324

 

Consequences

Access Control: Gain Privileges or Assume Identity

As passwords age, the probability that they are compromised grows.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

As part of a product’s design, require users to change their passwords regularly and avoid reusing previous passwords.

CVE References