CWE-521 - Weak Password Requirements
CWE-521
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Draft
- Weakness Name
Weak Password Requirements
- Description
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism.
- Common Consequences
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: An attacker could easily guess user passwords and gain access user accounts.
- Related Weaknesses
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2023-06-29
Free security scan for your website