BaseDraft

CWE-263Password Aging with Long Expiration

Category: auth

Description

The product supports password aging, but the expiration period is too long.

Common consequences· 1

  • Access Control — Gain Privileges or Assume Identity
    As passwords age, the probability that they are compromised grows.

Potential mitigations· 5

  • [Implementation]Previously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiration requires a password to be changed within a fixed time window (such as every 90 days). However, this approach has significant limitations in the current threat landscape, and its utility has been reduced in light of the adoption of related protection mechanisms (such as password complexity and computational effort), along with the recognition that regular password changes often caused users to generate more predictable passwords. As a result, this is now a Discouraged Common Practice [REF-1488] [REF-1489], especially as the sole factor in protecting passwords. It is still strongly encouraged to force password changes in case of evidence of compromise, but this is not the same as a forced "expiration" on an arbitrary time frame.
  • [Architecture and Design]Ensure that password aging is limited so that there is a defined maximum age for passwords. Note that if the expiration window is too short, it can cause users to generate poor or predictable passwords.
  • [Architecture and Design]Ensure that the user is notified several times leading up to the password expiration.
  • [Architecture and Design]Create mechanisms to prevent users from reusing passwords or creating similar passwords.
  • [Implementation]Developers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294].

Related CAPEC attack patterns· 12

CAPEC-16CAPEC-49CAPEC-509CAPEC-55CAPEC-555CAPEC-560CAPEC-561CAPEC-565CAPEC-600CAPEC-652CAPEC-653CAPEC-70

References

  1. https://cwe.mitre.org/data/definitions/263.html

Exploits (incoming)12

TypeTargetConfidenceTier
AttackPatternRemote Services with Stolen Credentialscapec-555100%live
AttackPatternUse of Known Kerberos Credentialscapec-652100%live
AttackPatternUse of Known Domain Credentialscapec-560100%live
AttackPatternTry Common or Default Usernames and Passwordscapec-70100%live
AttackPatternRainbow Table Password Crackingcapec-55100%live
AttackPatternPassword Brute Forcingcapec-49100%live
AttackPatternPassword Sprayingcapec-565100%live
AttackPatternUse of Known Operating System Credentialscapec-653100%live
AttackPatternDictionary-based Password Attackcapec-16100%live
AttackPatternKerberoastingcapec-509100%live
AttackPatternWindows Admin Shares with Stolen Credentialscapec-561100%live
AttackPatternCredential Stuffingcapec-600100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Not Using Password Aging
CWE
Weak Password Requirements
CWE
Improper Restriction of Excessive Authentication Attempts
CWE
Weak Password Recovery Mechanism for Forgotten Password
CWE
Use of a Key Past its Expiration Date
CWE
Missing Password Field Masking
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.