CWE-309: Use of Password System for Primary Authentication

BaseDraftExploit Likelihood: High

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-309: Use of Password System for Primary Authentication?+

CWE-309: Use of Password System for Primary Authentication is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

What are the security consequences of Use of Password System for Primary Authentication?+

If exploited, CWE-309 (Use of Password System for Primary Authentication) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism and Gain Privileges or Assume Identity.

How do you prevent or mitigate Use of Password System for Primary Authentication?+

Recommended mitigations for CWE-309 include: In order to protect password systems from compromise, the following should be noted: Passwords should be stored safely to prevent insider attack and to ensure that -- if a system is compromised -- the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stored encrypted, in a non-reversible state, such that the original text password cannot be extracted from the stored value. Password aging should be strictly enforced to ensure that passwords do not remain unchanged for long periods of time. The longer a password remains in use, the higher the probability that it has been compromised. For this reason, passwords should require refreshing periodically, and users should be informed of the risk of passwords which remain in use for too long. Password strength should be enforced intelligently. Rather than restrict passwords to specific content, or specific length, users should be encouraged to use upper and lower case letters, numbers, and symbols in their passwords. The system should also ensure that no passwords are derived from dictionary words. Use a zero-knowledge password protocol, such as SRP. Ensure that passwords are stored safely and are not reversible.

Which programming languages are affected by Use of Password System for Primary Authentication?+

CWE-309 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-309 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More