CWE WEAKNESSES / CWE-521
CWE-521
Weak Password Requirements
Base
What it is
The product does not require that users should have strong passwords.
Impact
| Access Control | Gain Privileges or Assume Identity |
Mitigations
- [Architecture and Design]A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:- Enforcement of a minimum and maximum length- Restrictions against password reuse- Restrictions against using common passwords- Restrictions against using contextual string
- [Architecture and Design] Consider a second authentication factor beyond the password, which prevents the password from being a single point of failure. See CWE-308 for further information.
- [Implementation] Consider implementing a password complexity meter to inform users when a chosen password meets the required attributes.
- [Implementation] Previously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiration requires a password to be changed within a fixed time window (such as every 90 days). However, this approach has significant limitations in the current threat landscape, and its utility has been reduced in light of th
Real-world CVE examples
- CVE-2020-4574 — key server application does not require strong passwords
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →