CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types
2021 CWE最重要的硬件弱点
CWE前25个最危险的弱点
Home>CWEList>CWE- Individual Dictionary Definition (4.10)
ID

CWE-521: Weak Password Requirements

Weakness ID: 521
Abstraction:Base
结构:简单的
View customized information:
+Description
该产品不需要用户应具有强密码,这使攻击者更容易妥协用户帐户。
+Extended Description
身份验证机制通常依赖于记忆的秘密(也称为密码)来为系统用户提供身份的主张。因此,重要的是,此密码具有足够的复杂性,并且对于对手来说是不切实际的。关于密码需要如何复杂的特定要求取决于受保护的系统类型。选择正确的密码要求并通过实施实施它们对于身份验证机制的整体成功至关重要。
+Relationships
Section Help该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof,parentof,ementof,并深入了解可能存在于较高和较低抽象水平的类似项目。此外,定义了诸如Peerof和Canalsobe之类的关系,以显示用户可能想要探索的类似弱点。
+Relevant to the view "Research Concepts" (CWE-1000)
自然 Type ID 姓名
Childof 班级班级 - 以非常抽象的方式描述的弱点,通常与任何特定的语言或技术无关。比支柱弱点更具体,但比基本弱点更一般。班级弱点通常用以下维度的1或2来描述问题:行为,属性和资源。 1391 Use of Weak Credentials
ParentOf Variant变体 - 与某种类型的产品相关的弱点,通常涉及特定的语言或技术。比基本弱点更具体。变体级别的弱点通常以以下维度的3到5来描述问题:行为,财产,技术,语言和资源。 258 配置文件中的空密码
Section Help该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof,parentof,ementof,并深入了解可能存在于较高和较低抽象水平的类似项目。此外,定义了诸如Peerof和Canalsobe之类的关系,以显示用户可能想要探索的类似弱点。
+Relevant to the view "Software Development" (CWE-699)
自然 Type ID 姓名
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 255 凭证管理错误
Section Help该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof,parentof,ementof,并深入了解可能存在于较高和较低抽象水平的类似项目。此外,定义了诸如Peerof和Canalsobe之类的关系,以显示用户可能想要探索的类似弱点。
+Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003)
自然 Type ID 姓名
Childof 班级班级 - 以非常抽象的方式描述的弱点,通常与任何特定的语言或技术无关。比支柱弱点更具体,但比基本弱点更一般。班级弱点通常用以下维度的1或2来描述问题:行为,属性和资源。 287 Improper Authentication
Section Help该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof,parentof,ementof,并深入了解可能存在于较高和较低抽象水平的类似项目。此外,定义了诸如Peerof和Canalsobe之类的关系,以显示用户可能想要探索的类似弱点。
+Relevant to the view "Architectural Concepts" (CWE-1008)
自然 Type ID 姓名
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1010 Authenticate Actors
+介绍模式
Section Help引言的不同模式提供了有关如何以及何时引入这种弱点的信息。该阶段识别可能发生介绍的生命周期中的一个点,而音符提供了与给定阶段中引言有关的典型情况。
Phase 笔记
Architecture and Design COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.
Implementation Not enforcing the password policy stated in a products design can allow users to create passwords that do not provide the necessary level of protection.
+适用的平台
Section Help该清单显示了可能出现的弱点的可能区域。这些可能适用于特定的命名语言,操作系统,体系结构,范式,技术或一类此类平台。该平台与给定弱点出现在该实例的频率一起列出。

语言

班级: Not Language-Specific(Undetermined Prevalence)

Technologies

班级: Not Technology-Specific(Undetermined Prevalence)

+常见后果
Section Help该表指定与弱点相关的不同个人后果。该范围确定了违反的应用程序安全区域,而影响描述了如果对手成功利用这一弱点,就会产生负面的技术影响。其可能性提供了有关预期相对于列表中其他后果的特定后果的可能性的信息。例如,可能会利用弱点来实现一定的影响,但很可能会利用它来实现不同的影响。
Scope Impact 可能性
Access Control

技术影响:获得特权或假定身份

An attacker could easily guess user passwords and gain access user accounts.
+观察到的例子
Reference Description
key server application does not require strong passwords
+Potential Mitigations

Phase: Architecture and Design

A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:

  • 执行最小和最大长度
  • Restrictions against password reuse
  • 限制使用通用密码
  • Restrictions against using contextual string in the password (e.g., user id, app name)

Depending on the threat model, the password policy may include several additional attributes.

  • 需要混合字符集的复杂密码(alpha,数字,特殊,混合案例)
    • Increasing the range of characters makes the password harder to crack and may be appropriate for systems relying on single factor authentication.
    • 不幸的是,复杂的密码可能很难记住,鼓励用户选择一个简短的密码或错误地管理密码(写下来)。
    • 这种方法的另一个缺点是,由于人们对各种符号的可预测用法,它通常不会导致密码复杂性大大增加。
  • 最小长度(鼓励密码而不是密码)
    • 增加字符的数量使密码更难破解,并且可能适合依靠单个因素身份验证的系统。
    • 这种方法的缺点是,选择良好的密码短语并不容易,并且仍然可以生成较差的密码。可能需要一些提示来鼓励长期无法预测的密码。
  • 随机选择的秘密
    • 为用户生成密码可以帮助确保满足长度和复杂性要求,并可以导致使用安全的密码。
    • A disadvantage of this approach is that the resulting password or passpharse may be too difficult to memorize, encouraging them to be written down.
  • 密码到期
    • 需要定期更改密码可以减少对手必须破解密码的时间窗口,同时还限制了其他位置密码暴露造成的损坏。
    • Password expiration may be a good mitigating technique when long complex passwords are not desired.

参见NIST 800-63B [Ref-1053]有关密码要求的更多信息。

Phase: Architecture and Design

Consider a second authentication factor beyond the password, which prevents the password from being a single point of failure. SeeCWE-308了解更多信息。

Phase: Implementation

Consider implementing a password complexity meter to inform users when a chosen password meets the required attributes.
+Memberships
Section HelpThis MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
自然 Type ID 姓名
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 724 OWASP 2004年前十大A3类 - 破裂的身份验证和会话管理
MemberOf View查看 - CWE条目的子集,提供了一种检查CWE内容的方法。两个主视图结构是切片(平面列表)和图(包含条目之间的关系)。 884 CWECross-section
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 951 SFP辅助集群:不安全的身份验证策略
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1353 OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
+Taxonomy Mappings
Mapped Taxonomy Name Node ID 合身 Mapped Node Name
OWASP Top Ten 2004 A3 CWE更具体 Broken Authentication and Session Management
+参考
[Ref-44] Michael Howard,David Leblanc和John Viega。“软件安全性的24个致命罪”。“ SIN 19:使用基于密码的弱系统。”第279页。McGraw-Hill。2010年。
[REF-1053] NIST. "Digital Identity Guidelines (SP 800-63B)". Sections: 5.1.1, 10.2.1, and Appendix A. 2017-06. <https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf>.
+内容历史记录
+Submissions
Submission Date Submitter Organization
2006-07-19 Anonymous Tool Vendor (under NDA)
+修改
修改日期 修饰符 Organization
2008-07-01 埃里克·达奇(Eric Dalci) 雪茄
updated Potential_Mitigations, Time_of_Introduction
2008-08-15 VeraCode
Suggested OWASP Top Ten 2004 mapping
2008-09-08 CWEContent Team MITER
updated Description, Relationships, Taxonomy_Mappings
2009-05-27 CWEContent Team MITER
更新相关的_attack_patterns
2011-03-29 CWEContent Team MITER
updated Potential_Mitigations, Relationships
2011-06-01 CWEContent Team MITER
updated Common_Consequences
2012-05-11 CWEContent Team MITER
updated Common_Consequences, References, Relationships
2014-07-30 CWEContent Team MITER
updated Relationships
2017-11-08 CWEContent Team MITER
updated Modes_of_Introduction, Relationships, Taxonomy_Mappings
2019-06-20 CWEContent Team MITER
updated Relationships
2020-02-24 CWEContent Team MITER
updated Applicable_Platforms, Description, Modes_of_Introduction, Potential_Mitigations, References
2020-08-20 CWEContent Team MITER
更新相关的_attack_patterns
2021-10-28 CWEContent Team MITER
updated Relationships
2022-10-13 CWEContent Team MITER
更新了观察到的examples,电位_MINEIGATIONS,关系
More information is available — Please select a different filter.
页面最后更新:2023年1月31日

Use of the Common Weakness Enumeration (CWE) and the associated references from this website are subject to the使用条款. CWE is sponsored by theU.S. Department of Homeland Security(DHS)Cybersecurity and Infrastructure Security Agency(CISA),由Homeland Security Systems Engineering and Development Institute(HSSEDI)由manbetx客户端首页(MITRE). Copyright © 2006–2023, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.