{"@ID": "309", "@Name": "Use of Password System for Primary Authentication", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1390", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "654", "@View_ID": "1000"}, {"@Nature": "PeerOf", "@CWE_ID": "308", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Background_Details": {"Background_Detail": "Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical."}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Architecture and Design"}}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": ["Bypass Protection Mechanism", "Gain Privileges or Assume Identity"], "Note": "A password authentication mechanism error will almost always result in attackers being authorized as valid users."}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": {"xhtml:p": "In order to protect password systems from compromise, the following should be noted:", "xhtml:ul": {"xhtml:li": ["Passwords should be stored safely to prevent insider attack and to ensure that -- if a system is compromised -- the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stored encrypted, in a non-reversible state, such that the original text password cannot be extracted from the stored value.", "Password aging should be strictly enforced to ensure that passwords do not remain unchanged for long periods of time. The longer a password remains in use, the higher the probability that it has been compromised. For this reason, passwords should require refreshing periodically, and users should be informed of the risk of passwords which remain in use for too long.", "Password strength should be enforced intelligently. Rather than restrict passwords to specific content, or specific length, users should be encouraged to use upper and lower case letters, numbers, and symbols in their passwords. The system should also ensure that no passwords are derived from dictionary words."]}}}, {"Phase": "Architecture and Design", "Description": "Use a zero-knowledge password protocol, such as SRP."}, {"Phase": "Architecture and Design", "Description": "Ensure that passwords are stored safely and are not reversible."}, {"Phase": "Architecture and Design", "Description": "Implement password aging functionality that requires passwords be changed after a certain point."}, {"Phase": "Architecture and Design", "Description": "Use a mechanism for determining the strength of a password and notify the user of weak password use."}, {"Phase": "Architecture and Design", "Description": "Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-101", "Intro_Text": "In both of these examples, a user is logged in if their given password matches a stored password:", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:i": "//Login if hash matches stored hash", "xhtml:div": {"@style": "margin-left:1em;", "#text": "login_user();"}, "#text": "ctext = simple_digest(\"sha1\",plaintext,strlen(plaintext), ... );\n                        \n                        if (equal(ctext, secret_password())) {}"}, "#text": "unsigned char *check_passwd(char *plaintext) {}"}}, {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:i": "//Login if hash matches stored hash", "xhtml:div": {"@style": "margin-left:1em;", "#text": "login_user();"}, "#text": "String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance(\"SHA\");encer.update(plainTextIn);byte[] digest = password.digest();\n                     \n                     if (equal(digest,secret_password())) {}"}}], "Body_Text": "This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328).  It also does not use a salt (CWE-759)."}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "CLASP", "Entry_Name": "Using password systems"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A3", "Entry_Name": "Broken Authentication and Session Management", "Mapping_Fit": "CWE More Specific"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "16"}, {"@CAPEC_ID": "49"}, {"@CAPEC_ID": "509"}, {"@CAPEC_ID": "55"}, {"@CAPEC_ID": "555"}, {"@CAPEC_ID": "560"}, {"@CAPEC_ID": "561"}, {"@CAPEC_ID": "565"}, {"@CAPEC_ID": "600"}, {"@CAPEC_ID": "652"}, {"@CAPEC_ID": "653"}, {"@CAPEC_ID": "70"}]}, "References": {"Reference": {"@External_Reference_ID": "REF-18"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "CLASP", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Organization": "Veracode", "Modification_Date": "2008-08-15", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "Suggested OWASP Top Ten 2004 mapping"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Background_Details, Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Likelihood_of_Exploit"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Relationships, Weakness_Ordinalities"}], "Previous_Entry_Name": {"@Date": "2008-04-11", "#text": "Using Password Systems"}}}
