Not Using Password Aging
Weakness ID: 262 (Weakness Variant)Status: Draft
+ Description

Description Summary

If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms



+ Common Consequences

As passwords age, the probability that they are compromised grows.

+ Likelihood of Exploit

Very Low

+ Demonstrative Examples

Example 1

A common example is not having a system to terminate old employee accounts.

Example 2

Not having a system for enforcing the changing of passwords every certain period.

+ Potential Mitigations

Phase: Architecture and Design

Ensure that password aging functionality is added to the design of the system, including an alert previous to the time the password is considered obsolete, and useful information for the user concerning the importance of password renewal, and the method.

+ Other Notes

The recommendation that users change their passwords regularly and do not reuse passwords is universal among security experts. In order to enforce this, it is useful to have a mechanism that notifies users when passwords are considered old and that requests that they replace them with new, strong passwords. In order for this functionality to be useful, however, it must be accompanied with documentation which stresses how important this practice is and which makes the entire process as simple as possible for the user.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory255Credentials Management
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base404Improper Resource Shutdown or Release
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts1000
PeerOfWeakness BaseWeakness Base263Password Aging with Long Expiration
Research Concepts1000
PeerOfWeakness BaseWeakness Base309Use of Password System for Primary Authentication
Research Concepts1000
PeerOfWeakness BaseWeakness Base324Use of a Key Past its Expiration Date
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPNot allowing password aging
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
16Dictionary-based Password Attack
49Password Brute Forcing
55Rainbow Table Password Cracking
70Try Common(default) Usernames and Passwords
+ Content History
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Not Allowing Password Aging