BaseDraft
CWE-309Use of Password System for Primary Authentication
Category: auth
Description
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
Common consequences· 1
- Access Control — Bypass Protection Mechanism, Gain Privileges or Assume IdentityA password authentication mechanism error will almost always result in attackers being authorized as valid users.
Potential mitigations· 5
- [Architecture and Design]
- [Architecture and Design]Use a zero-knowledge password protocol, such as SRP.
- [Architecture and Design]Ensure that passwords are stored safely and are not reversible.
- [Architecture and Design]Implement password aging functionality that requires passwords be changed after a certain point.
- [Architecture and Design]Use a mechanism for determining the strength of a password and notify the user of weak password use.
Related CAPEC attack patterns· 12
References
Exploits (incoming)12
| Type | Target | Confidence | Tier |
|---|---|---|---|
| AttackPattern | Credential Stuffingcapec-600 | 100% | live |
| AttackPattern | Use of Known Kerberos Credentialscapec-652 | 100% | live |
| AttackPattern | Try Common or Default Usernames and Passwordscapec-70 | 100% | live |
| AttackPattern | Password Sprayingcapec-565 | 100% | live |
| AttackPattern | Rainbow Table Password Crackingcapec-55 | 100% | live |
| AttackPattern | Use of Known Operating System Credentialscapec-653 | 100% | live |
| AttackPattern | Dictionary-based Password Attackcapec-16 | 100% | live |
| AttackPattern | Password Brute Forcingcapec-49 | 100% | live |
| AttackPattern | Use of Known Domain Credentialscapec-560 | 100% | live |
| AttackPattern | Remote Services with Stolen Credentialscapec-555 | 100% | live |
| AttackPattern | Kerberoastingcapec-509 | 100% | live |
| AttackPattern | Windows Admin Shares with Stolen Credentialscapec-561 | 100% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.