CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

Weak Password Requirements [CWE-521]

Weak Password Requirements weakness described a case where application implements a poor password policy allowing users to create short or very simple passwords.

Weak Password Requirements [CWE-521]

Created: June 11, 2018
Latest Update: January 10, 2019

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. Vulnerability Remediation Techniques and Examples
  8. References

1. Description

The weakness occurs when the application does not check complexity or minimum length of the provided passwords. Entire security of application depends on its authentication mechanism. Weak password requirements allow users to create weak passwords, susceptible to a verity of attacks.

2. Potential impact

The vulnerability may allow an attacker to guess users’ passwords and gain unauthorized access to the application.

How to Detect Weak Password Requirements Vulnerabilities
Free Website Security Test
  • Non-intrusive GDPR Test
  • Non-intrusive PCI DSS Test
Try Free Test
ImmuniWeb® On-Demand
  • Complete GDPR Audit
  • Complete PCI DSS Audit
  • Remediation Guidelines
  • DevSecOps Integration
Learn More

3. Attack patterns

The following attack patterns can be used to exploit cleartext storage of sensitive information according to CAPEC (Common Attack Pattern Enumeration and Classification) classification:

4. Affected software

This vulnerability arises in application that require user authentication.

5. Severity and CVSS Scoring

Severity of this vulnerability depends on the application functionality and privileges of the user account with weak password. In case of modern web applications weak password for administrative account can lead to web application or even system compromise. In such case, the vulnerability is considered critical with CVSSv3 score 8.1:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6. Mitigations

When dealing with web applications, it is advices to provide an additional level of authentication (e.g. HTTP Basic authentication) for administrative user accounts in case where password policy management or source code modification is not possible. It is also recommended to restrict access to administrative interface to a list of trusted IP addresses only.

7. Vulnerability Remediation Techniques and Examples

It is recommended to always demand usage of strong passwords. A strong password should contain lower- and upper-case characters, digits, special symbols and be at least 8 characters long.

8. References

  1. CWE-521: Weak Password Requirements [cwe.mitre.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Quick Start
Solutions
Get a Demo
Newsletter