The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
View on MITREBy design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. Credentials may be weak for different reasons, such as: Hard-coded (i.e., static and unchangeable by the administrator) Default (i.e., the same static value across different deployments/installations, but able to be changed by the administrator) Predictable (i.e., generated in a way that produces unique credentials across deployments/installations, but can still be guessed with reasonable efficiency) Even if a new, unique credential is intended to be generated for each product installation, if the generation is predictable, then that may also simplify guessing attacks.
No consequence information available for this CWE.
No mitigation information available for this CWE.
No detection method information available for this CWE.
Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)
View DetailsDistributed Control System (DCS) uses a deterministic algorithm to generate utility passwords
View DetailsRemote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments
View Detailsdata visualization/sharing package uses default secret keys or cookie values if they are not specified in environment variables
View Detailspassword manager does not generate cryptographically strong passwords, allowing prediction of passwords using guessable details such as time of generation
View Detailspassword generator for cloud application has small length value, making it easier for brute-force guessing
View Detailsnetwork-attached storage (NAS) system has predictable default passwords for a diagnostics/support account
View DetailsIT asset management app has a default encryption key that is the same across installations
View DetailsInstallation script has a hard-coded secret token value, allowing attackers to bypass authentication
View DetailsIntrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic
View DetailsResidential gateway uses the last 5 digits of the 'Network Name' or SSID as the default WEP key, which allows attackers to get the key by sniffing the SSID, which is sent in the clear
View DetailsCWE-1391: Use of Weak Credentials is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker. By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. Credentials may be weak for different reasons, such as: Hard-coded (i.e., static and unchangeable by the administrator) Default (i.e., the same static value across different deployments/installations, but able to be changed by the administrator) Predictable (i.e., generated in a way that produces unique credentials across deployments/installations, but can still be guessed with reasonable efficiency) Even if a new, unique credential is intended to be generated for each product installation, if the generation is predictable, then that may also simplify guessing attacks.
CWE-1391 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-1391, including [REF-1374], CVE-2022-30270, CVE-2022-29965, CVE-2022-30271 and CVE-2021-38759. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-1391 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.