CWE-521 弱口令要求
Weak Password Requirements
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
扩展描述
An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1003 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | Gain Privileges or Assume Identity | An attacker could easily guess user passwords and gain access user accounts. |
可能的缓解方案
Architecture and Design
策略: Enforce usage of strong passwords. A password strength policy should contain the following attributes:
Architecture and Design
策略:
Authentication mechanisms should always require sufficiently complex passwords and require that they be periodically changed.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| OWASP Top Ten 2004 | A3 | CWE More Specific | Broken Authentication and Session Management |
相关攻击模式
- CAPEC-112
- CAPEC-16
- CAPEC-49
- CAPEC-55
- CAPEC-70