The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.
View on MITREBy bypassing the security mechanism, a user might leave the system in a less secure state than intended by the administrator, making it more susceptible to compromise.
Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.
Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results.
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
No relationship information available for this CWE.
CWE-655: Insufficient Psychological Acceptability is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.
If exploited, CWE-655 (Insufficient Psychological Acceptability) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism.
Recommended mitigations for CWE-655 include: Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why. Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results.
CWE-655 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-655 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.