Weak Password Requirements
Draft Base
Structure: Simple
Description
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism.
Common Consequences 1
Scope: Access Control
Impact: Gain Privileges or Assume Identity
An attacker could easily guess user passwords and gain access user accounts.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Potential Mitigations 4
Phase: Architecture and Design
A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:
- Enforcement of a minimum and maximum length
- Restrictions against password reuse
- Restrictions against using common passwords
- Restrictions against using contextual string in the password (e.g., user id, app name)
Depending on the threat model, the password policy may include several additional attributes.
- Complex passwords requiring mixed character sets (alpha, numeric, special, mixed case)
- Increasing the range of characters makes the password harder to crack and may be appropriate for systems relying on single factor authentication.
- Unfortunately, a complex password may be difficult to memorize, encouraging a user to select a short password or to incorrectly manage the password (write it down).
- Another disadvantage of this approach is that it often does not result in a significant increases in overal password complexity due to people's predictable usage of various symbols.
1. Large Minimum Length (encouraging passphrases instead of passwords)
- Increasing the number of characters makes the password harder to crack and may be appropriate for systems relying on single factor authentication.
- A disadvantage of this approach is that selecting a good passphrase is not easy and poor passwords can still be generated. Some prompting may be needed to encourage long un-predictable passwords.
1. Randomly Chosen Secrets
- Generating a password for the user can help make sure that length and complexity requirements are met, and can result in secure passwords being used.
- A disadvantage of this approach is that the resulting password or passpharse may be too difficult to memorize, encouraging them to be written down.
See NIST 800-63B [REF-1053] for further information on password requirements.
Phase: Architecture and Design
Consider a second authentication factor beyond the password, which prevents the password from being a single point of failure. See Use of Single-factor Authentication for further information.
Phase: Implementation
Consider implementing a password complexity meter to inform users when a chosen password meets the required attributes.
Phase: Implementation
Previously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiration requires a password to be changed within a fixed time window (such as every 90 days). However, this approach has significant limitations in the current threat landscape, and its utility has been reduced in light of the adoption of related protection mechanisms (such as password complexity and computational effort), along with the recognition that regular password changes often caused users to generate more predictable passwords. As a result, this is now a Discouraged Common Practice [REF-1488] [REF-1489], especially as the sole factor in protecting passwords. It is still strongly encouraged to force password changes in case of evidence of compromise, but this is not the same as a forced "expiration" on an arbitrary time frame.
Observed Examples 1
CVE-2020-4574key server application does not require strong passwords
References 4
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
Digital Identity Guidelines (SP 800-63B)
NIST
06-2017
ID: REF-1053
Digital Identity Guidelines (SP 800-63B-4)
NIST
07-2025
ID: REF-1488
Password Guidance: Simplifying Your Approach
National Cyber Security Centre
14-09-2015
ID: REF-1489
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
- 16Configuration
- 49Path Equivalence: 'filename/' (Trailing Slash)
- 55Path Equivalence: '/./' (Single Dot Directory)
- 70DEPRECATED: Mac Virtual File Problems
- 112Missing XML Validation
- 509Replicating Malicious Code (Virus or Worm)
- 555J2EE Misconfiguration: Plaintext Password in Configuration File
- 561Dead Code
- 565Reliance on Cookies without Validation and Integrity Checking
Related Weaknesses
ChildOf:
Use of Weak Credentials (CWE-1391)
ChildOf:
Improper Authentication (CWE-287)
Taxonomy Mapping
- OWASP Top Ten 2004