Use of Password System for Primary Authentication |
Weakness ID: 309 (Weakness Base) | Status: Draft |
Description Summary
Scope | Effect |
---|---|
Authentication | The failure of a password authentication mechanism will almost always result in attackers being authorized as valid users. |
Example 1
Phase: Architecture and Design In order to protect password systems from compromise, the following should be noted:
|
Phase: Architecture and Design Use a zero-knowledge password protocol, such as SRP. |
Phase: Architecture and Design Ensure that passwords are stored safely and are not reversible. |
Phase: Architecture and Design Implement password aging functionality that requires passwords be changed after a certain point. |
Phase: Architecture and Design Use a mechanism for determining the strength of a password and notify the user of weak password use. |
Phase: Architecture and Design Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings. |
Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical. |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 287 | Improper Authentication | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | ![]() | 654 | Reliance on a Single Factor in a Security Decision | Research Concepts1000 |
ChildOf | ![]() | 724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management | Weaknesses in OWASP Top Ten (2004) (primary)711 |
PeerOf | ![]() | 308 | Use of Single-factor Authentication | Research Concepts1000 |
PeerOf | ![]() | 262 | Not Using Password Aging | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
CLASP | Using password systems | ||
OWASP Top Ten 2004 | A3 | CWE More Specific | Broken Authentication and Session Management |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-08-15 | Veracode | External | ||
Suggested OWASP Top Ten 2004 mapping | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Background Details, Common Consequences, Relationships, Taxonomy Mappings | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Using Password Systems | |||