Use of Password System for Primary Authentication
Weakness ID: 309 (Weakness Base)Status: Draft
+ Description

Description Summary

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Authentication

The failure of a password authentication mechanism will almost always result in attackers being authorized as valid users.

+ Likelihood of Exploit

Very High

+ Demonstrative Examples

Example 1

Example Language:
unsigned char *check_passwd(char *plaintext) {
ctext=simple_digest("sha1",plaintext,strlen(plaintext)...);
if (ctext==secret_password()) // Log me in
}
Example Language: Java 
String plainText = new String(plainTextIn) MessageDigest encer = MessageDigest.getInstance("SHA"); encer.update(plainTextIn);
byte[] digest = password.digest();
if (digest==secret_password()) //log me in
+ Potential Mitigations

Phase: Architecture and Design

In order to protect password systems from compromise, the following should be noted:

  • Passwords should be stored safely to prevent insider attack and to ensure that -- if a system is compromised -- the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stored encrypted, in a non-reversible state, such that the original text password cannot be extracted from the stored value.

  • Password aging should be strictly enforced to ensure that passwords do not remain unchanged for long periods of time. The longer a password remains in use, the higher the probability that it has been compromised. For this reason, passwords should require refreshing periodically, and users should be informed of the risk of passwords which remain in use for too long.

  • Password strength should be enforced intelligently. Rather than restrict passwords to specific content, or specific length, users should be encouraged to use upper and lower case letters, numbers, and symbols in their passwords. The system should also ensure that no passwords are derived from dictionary words.

Phase: Architecture and Design

Use a zero-knowledge password protocol, such as SRP.

Phase: Architecture and Design

Ensure that passwords are stored safely and are not reversible.

Phase: Architecture and Design

Implement password aging functionality that requires passwords be changed after a certain point.

Phase: Architecture and Design

Use a mechanism for determining the strength of a password and notify the user of weak password use.

Phase: Architecture and Design

Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.

+ Background Details

Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class287Improper Authentication
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness BaseWeakness Base654Reliance on a Single Factor in a Security Decision
Research Concepts1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
PeerOfWeakness BaseWeakness Base308Use of Single-factor Authentication
Research Concepts1000
PeerOfWeakness VariantWeakness Variant262Not Using Password Aging
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPUsing password systems
OWASP Top Ten 2004A3CWE More SpecificBroken Authentication and Session Management
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-08-15VeracodeExternal
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Background Details, Common Consequences, Relationships, Taxonomy Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Using Password Systems
Back to top