Weak Password Requirements
Weakness ID: 521 (Weakness Base)Status: Draft
+ Description

Description Summary

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Extended Description

An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Potential Mitigations

Phase: Architecture and Design

Enforce usage of strong passwords. A password strength policy should contain the following attributes: (1) Minimum and maximum length; (2) Require mixed character sets (alpha, numeric, special, mixed case); (3) Do not contain user name; (4) Expiration; (5) No password reuse.

Phase: Architecture and Design

Authentication mechanisms should always require sufficiently complex passwords and require that they be periodically changed.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory255Credentials Management
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ParentOfWeakness VariantWeakness Variant258Empty Password in Configuration File
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
Anonymous Tool Vendor (under NDA)
OWASP Top Ten 2004A3CWE More SpecificBroken Authentication and Session Management
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
16Dictionary-based Password Attack
49Password Brute Forcing
55Rainbow Table Password Cracking
70Try Common(default) Usernames and Passwords
112Brute Force
+ Content History
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Related Attack Patterns