CWE-262: Not Using Password Aging

CWE-262: Not Using Password Aging is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not have a mechanism in place for managing password aging. Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. Without mechanisms such as aging, users might not change their passwords in a timely manner. Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).

If exploited, CWE-262 (Not Using Password Aging) it can compromise Access Control, leading to outcomes such as Gain Privileges or Assume Identity.

Recommended mitigations for CWE-262 include: As part of a product's design, require users to change their passwords regularly and avoid reusing previous passwords.

CWE-262 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

A CWE (Common Weakness Enumeration) like CWE-262 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.