Weaknesses in this category are related to the management of credentials.
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | V | 699 | Software Development |
| HasMember | Allowed | B | 1392 | Use of Default Credentials |
| HasMember | Allowed | B | 256 | Plaintext Storage of a Password |
| HasMember | Allowed | B | 257 | Storing Passwords in a Recoverable Format |
| HasMember | Allowed | B | 260 | Password in Configuration File |
| HasMember | Allowed | B | 261 | Weak Encoding for Password |
| HasMember | Allowed | B | 262 | Not Using Password Aging |
| HasMember | Allowed | B | 263 | Password Aging with Long Expiration |
| HasMember | Allowed | B | 324 | Use of a Key Past its Expiration Date |
| HasMember | Allowed | B | 521 | Weak Password Requirements |
| HasMember | Allowed | B | 523 | Unprotected Transport of Credentials |
| HasMember | Allowed | B | 549 | Missing Password Field Masking |
| HasMember | Allowed | B | 620 | Unverified Password Change |
| HasMember | Allowed-with-Review | B | 640 | Weak Password Recovery Mechanism for Forgotten Password |
| HasMember | Allowed | B | 798 | Use of Hard-coded Credentials |
| HasMember | Allowed | B | 916 | Use of Password Hash With Insufficient Computational Effort |
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1287]. This CWE ID may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016).
Some weakness-oriented alternatives might be found under Improper Authentication (CWE-287) or keyword searches for credentials.
| Taxonomy Name | Entry ID | Fit | Entry Name |
|---|---|---|---|
| OWASP Top Ten 2004 | A3 | CWE More Specific | Broken Authentication and Session Management |