BaseIncomplete

CWE-836Use of Password Hash Instead of Password for Authentication

Category: auth

Description

The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Common consequences· 1

  • Access Control — Bypass Protection Mechanism, Gain Privileges or Assume Identity
    An attacker could bypass the authentication routine without knowing the original password.

Related CAPEC attack patterns· 2

CAPEC-644CAPEC-652

References

  1. https://cwe.mitre.org/data/definitions/836.html

Exploits (incoming)2

TypeTargetConfidenceTier
AttackPatternUse of Known Kerberos Credentialscapec-652100%live
AttackPatternUse of Captured Hashes (Pass The Hash)capec-644100%live

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2025-62618cve-2025-626180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Use of Password Hash With Insufficient Computational Effort
CWE
Use of a One-Way Hash without a Salt
CWE
Plaintext Storage of a Password
CWE
Use of a One-Way Hash with a Predictable Salt
CWE
Use of Hard-coded Password
CWE
Missing Password Field Masking
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.