logo

Not Using Password Aging

Draft Base
Structure: Simple
Description

The product does not have a mechanism in place for managing password aging.

Extended Description

Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. Without mechanisms such as aging, users might not change their passwords in a timely manner. Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).

Common Consequences 1
Scope: Access Control

Impact: Gain Privileges or Assume Identity

As passwords age, the probability that they are compromised grows.
Potential Mitigations 2
Phase: Architecture and Design
As part of a product's design, require users to change their passwords regularly and avoid reusing previous passwords.
Phase: Implementation
Developers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294].

Effectiveness: Discouraged Common Practice
Demonstrative Examples 1
A system does not enforce the changing of passwords every certain period.
References 9
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
Discussion Thread: Time to retire CWE-262 and CWE-263
Kurt Seifried and other members of the CWE-Research mailing list
03-12-2021
https://www.mail-archive.com/cwe-research-list@mitre.org/msg00018.html(2022-10-11)
ID: REF-1305
Time for Password Expiration to Die
Lance Spitzner
27-06-2021
https://www.sans.org/blog/time-for-password-expiration-to-die/
ID: REF-1289
Time to rethink mandatory password changes
Lorrie Cranor
02-03-2016
https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2016/03/time-rethink-mandatory-password-changes
ID: REF-1290
Security Myths and Passwords
Eugene Spafford
19-04-2006
https://www.cerias.purdue.edu/site/blog/post/password-change-myths/
ID: REF-1291
Password administration for system owners
National Cyber Security Centre
19-11-2018
https://www.ncsc.gov.uk/collection/passwords(2023-04-07)
ID: REF-1292
Digital Identity Guidelines: Authentication and Lifecycle Management(SP 800-63B)
NIST
06-2017
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf(2023-04-07)
ID: REF-1293
Let them paste passwords
National Cyber Security Centre
02-01-2017
https://webarchive.nationalarchives.gov.uk/ukgwa/20240701101110/https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords(2025-08-04)
ID: REF-1294
Likelihood of Exploit

Low

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Related Attack Patterns
Related Weaknesses
ChildOf: Weak Authentication (CWE-1390)
PeerOf: Use of Password System for Primary Authentication (CWE-309)
PeerOf: Use of a Key Past its Expiration Date (CWE-324)
Taxonomy Mapping
  • CLASP