Weak Password Requirements [CWE-521]

Weak Password Requirements weakness described a case where application implements a poor password policy allowing users to create short or very simple passwords.

Created: June 11, 2018
Latest Update: December 28, 2020

Table of Content

1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Severity and CVSS Scoring
6. Mitigations
7. Vulnerability Remediation Techniques and Examples
8. References

Want to have an in-depth understanding of all modern aspects of
Weak Password Requirements [CWE-521]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

The weakness occurs when the application does not check complexity or minimum length of the provided passwords. Entire security of application depends on its authentication mechanism. Weak password requirements allow users to create weak passwords, susceptible to a verity of attacks.

2. Potential impact

The vulnerability may allow an attacker to guess users’ passwords and gain unauthorized access to the application.

3. Attack patterns

The following attack patterns can be used to exploit cleartext storage of sensitive information according to CAPEC (Common Attack Pattern Enumeration and Classification) classification:

• CAPEC-16: CAPEC-16: Dictionary-based Password Attack
• CAPEC-49: CAPEC-49: Password Brute Forcing
• CAPEC-55: CAPEC-55: Rainbow Table Password Cracking
• CAPEC-70: CAPEC-70: Try Common or Default Usernames and Passwords
• CAPEC-112: CAPEC-112: Brute force

4. Affected software

This vulnerability arises in application that require user authentication.

5. Severity and CVSS Scoring

Severity of this vulnerability depends on the application functionality and privileges of the user account with weak password. In case of modern web applications weak password for administrative account can lead to web application or even system compromise. In such case, the vulnerability is considered critical with CVSSv3 score 8.1:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6. Mitigations

When dealing with web applications, it is advices to provide an additional level of authentication (e.g. HTTP Basic authentication) for administrative user accounts in case where password policy management or source code modification is not possible. It is also recommended to restrict access to administrative interface to a list of trusted IP addresses only.

7. Vulnerability Remediation Techniques and Examples

It is recommended to always demand usage of strong passwords. A strong password should contain lower- and upper-case characters, digits, special symbols and be at least 8 characters long.

8. References

1. CWE-521: Weak Password Requirements [cwe.mitre.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.