logo

CWE-262 - Not Using Password Aging

CWE-262 Low

  • Abstraction:
  • Base
  • Structure:
  • Simple
  • Status:
  • Draft
Weakness Name

Not Using Password Aging

Description

The product does not have a mechanism in place for managing password aging.

Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. Without mechanisms such as aging, users might not change their passwords in a timely manner. Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).

Common Consequences

Scope: Access Control

Impact: Gain Privileges or Assume Identity

Notes: As passwords age, the probability that they are compromised grows.

Related Weaknesses

CWE-1390Weak Authentication

CWE-324Use of a Key Past its Expiration DateLow

CWE-309Use of Password System for Primary AuthenticationHigh

  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2023-06-29

Free security scan for your website