{"@ID": "263", "@Name": "Password Aging with Long Expiration", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product supports password aging, but the expiration period is too long.", "Extended_Description": {"xhtml:p": ["Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. A long expiration provides more time for attackers to conduct password cracking before users are forced to change to a new password.", "Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS)."]}, "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "1390", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Architecture and Design", "Note": "COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic."}}, "Likelihood_Of_Exploit": "Low", "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": "Gain Privileges or Assume Identity", "Note": "As passwords age, the probability that they are compromised grows."}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Implementation", "Description": "Previously, \"password expiration\" was\n\t\t\t   widely advocated as a defense-in-depth approach to\n\t\t\t   minimize the risk of weak passwords, and it has become\n\t\t\t   a common practice.  Password expiration requires a\n\t\t\t   password to be changed within a fixed time window (such\n\t\t\t   as every 90 days).  However, this approach has\n\t\t\t   significant limitations in the current threat\n\t\t\t   landscape, and its utility has been reduced in light of\n\t\t\t   the adoption of related protection mechanisms (such as\n\t\t\t   password complexity and computational effort), along\n\t\t\t   with the recognition that regular password changes\n\t\t\t   often caused users to generate more predictable\n\t\t\t   passwords. As a result, this is now a Discouraged\n\t\t\t   Common Practice [REF-1488] [REF-1489], especially as\n\t\t\t   the sole factor in protecting passwords. It is still\n\t\t\t   strongly encouraged to force password changes in case\n\t\t\t   of evidence of compromise, but this is not the same as\n\t\t\t   a forced \"expiration\" on an arbitrary time\n\t\t\t   frame."}, {"Phase": "Architecture and Design", "Description": "Ensure that password aging is limited so that there is a defined maximum age for passwords. Note that if the expiration window is too short, it can cause users to generate poor or predictable passwords."}, {"Phase": "Architecture and Design", "Description": "Ensure that the user is notified several times leading up to the password expiration."}, {"Phase": "Architecture and Design", "Description": "Create mechanisms to prevent users from reusing passwords or creating similar passwords."}, {"Phase": "Implementation", "Description": "Developers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294].", "Effectiveness": "Discouraged Common Practice"}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "A system requires the changing of passwords every five years."}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "CLASP", "Entry_Name": "Allowing password aging"}}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "16"}, {"@CAPEC_ID": "49"}, {"@CAPEC_ID": "509"}, {"@CAPEC_ID": "55"}, {"@CAPEC_ID": "555"}, {"@CAPEC_ID": "560"}, {"@CAPEC_ID": "561"}, {"@CAPEC_ID": "565"}, {"@CAPEC_ID": "600"}, {"@CAPEC_ID": "652"}, {"@CAPEC_ID": "653"}, {"@CAPEC_ID": "70"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-1488"}, {"@External_Reference_ID": "REF-1489"}, {"@External_Reference_ID": "REF-44", "@Section": "\"Sin 19: Use of Weak Password-Based Systems.\" Page 279"}, {"@External_Reference_ID": "REF-18"}, {"@External_Reference_ID": "REF-1305"}, {"@External_Reference_ID": "REF-1289"}, {"@External_Reference_ID": "REF-1290"}, {"@External_Reference_ID": "REF-1291"}, {"@External_Reference_ID": "REF-1292"}, {"@External_Reference_ID": "REF-1293"}, {"@External_Reference_ID": "REF-1294"}]}, "Mapping_Notes": {"Usage": "Discouraged", "Rationale": "This CWE entry is closely related to the\n            absence of a practice (password expiration) that is no\n            longer widely supported as an effective protection\n            mechanism. In addition, it might be deprecated in the\n            future.", "Comments": "Consider CWEs related to the reliance on\n            passwords or single-factor authentication, or other CWEs\n            involving weak passwords.", "Reasons": {"Reason": {"@Type": "Potential Deprecation"}}}, "Notes": {"Note": {"@Type": "Maintenance", "#text": "Password expiration was once\n\t\t   widely advocated (see Mitigations), but it is no longer\n\t\t   actively supported. It might be appropriate to Deprecate\n\t\t   this entry, or at least change it significantly so that\n\t\t   readers can consider alternate mechanisms to protect\n\t\t   passwords (and/or avoid passwords entirely). However, older\n\t\t   software - and even modern software - might still need to\n\t\t   be mapped to this weakness if the software is obsolete or\n\t\t   not actively maintained, and expiration remains the only\n\t\t   option."}}, "Content_History": {"Submission": {"Submission_Name": "CLASP", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Description, Other_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Demonstrative_Examples, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Description, Potential_Mitigations, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Maintenance_Notes, Mapping_Notes, Potential_Mitigations, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Contribution": [{"@Type": "Feedback", "Contribution_Name": "Kurt Seifried, Chris Eng, G. Ann Campbell, Larry Shields, Jeffrey Walton, Jason Dryhurst-Smith, and other members of the CWE Community", "Contribution_Date": "2021-12-03", "Contribution_Comment": "Gave feedback on how to update CWE-262 and CWE-263 due to changing password management practices"}, {"@Type": "Feedback", "Contribution_Name": "Camille Gouttebroze", "Contribution_Organization": "CAST Software", "Contribution_Date": "2025-03-17", "Contribution_Version": "4.18", "Contribution_ReleaseDate": "2025-09-09", "Contribution_Comment": "suggested removal of password expiration as an acceptable mitigation in CWE-521 and provided references"}], "Previous_Entry_Name": {"@Date": "2008-04-11", "#text": "Allowing Unchecked Password Aging"}}}
