ByteOS Network

CWE-309:Use of Password System for Primary Authentication

Weakness ID:309

Version:v4.17

Weakness Name:Use of Password System for Primary Authentication

Vulnerability Mapping:Allowed

Abstraction:Base

Structure:Simple

Status:Draft

Likelihood of Exploit:High

Details Content History Observed CVE Examples Reports

▼Description

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Allowed-with-Review	C	1390	Weak Authentication
ChildOf	Allowed	B	654	Reliance on a Single Factor in a Security Decision
ParentOf	Allowed	B	308	Use of Single-factor Authentication
ParentOf	Allowed	B	262	Not Using Password Aging

Nature: ChildOf

Mapping: Allowed-with-Review

Type: Class

ID: 1390

Name: Weak Authentication

Nature: ChildOf

Mapping: Allowed

Type: Base

ID: 654

Name: Reliance on a Single Factor in a Security Decision

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 308

Name: Use of Single-factor Authentication

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 262

Name: Not Using Password Aging

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
MemberOf	Prohibited	C	947	SFP Secondary Cluster: Authentication Bypass
MemberOf	Prohibited	C	1211	Authentication Errors
MemberOf	Prohibited	C	1396	Comprehensive Categorization: Access Control

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 724

Name: OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 947

Name: SFP Secondary Cluster: Authentication Bypass

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1211

Name: Authentication Errors

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1396

Name: Comprehensive Categorization: Access Control

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-274	High likelihood of exploit
MemberOf	Prohibited	BS	BOSS-294	Not Language-Specific Weaknesses
MemberOf	Prohibited	BS	BOSS-316	Bypass Protection Mechanism (impact)
MemberOf	Prohibited	BS	BOSS-332	Gain Privileges or Assume Identity (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-274

Name: High likelihood of exploit

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-294

Name: Not Language-Specific Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-316

Name: Bypass Protection Mechanism (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-332

Name: Gain Privileges or Assume Identity (impact)

▼Relevant To View

Relevant to the view"Software Development - (699)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1211	Authentication Errors

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1211

Name: Authentication Errors

Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	947	SFP Secondary Cluster: Authentication Bypass

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 947

Name: SFP Secondary Cluster: Authentication Bypass

▼Background Detail

Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical.

▼Common Consequences

Scope	Likelihood	Impact	Note
Access Control	N/A	Bypass Protection MechanismGain Privileges or Assume Identity	A password authentication mechanism error will almost always result in attackers being authorized as valid users.

Scope: Access Control

Likelihood: N/A

Impact: Bypass Protection Mechanism, Gain Privileges or Assume Identity

Note:

A password authentication mechanism error will almost always result in attackers being authorized as valid users.

▼Potential Mitigations

Phase:Architecture and Design

Description:

In order to protect password systems from compromise, the following should be noted:

Passwords should be stored safely to prevent insider attack and to ensure that -- if a system is compromised -- the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stored encrypted, in a non-reversible state, such that the original text password cannot be extracted from the stored value.

Password aging should be strictly enforced to ensure that passwords do not remain unchanged for long periods of time. The longer a password remains in use, the higher the probability that it has been compromised. For this reason, passwords should require refreshing periodically, and users should be informed of the risk of passwords which remain in use for too long.

Password strength should be enforced intelligently. Rather than restrict passwords to specific content, or specific length, users should be encouraged to use upper and lower case letters, numbers, and symbols in their passwords. The system should also ensure that no passwords are derived from dictionary words.

Phase:Architecture and Design

Description:

Use a zero-knowledge password protocol, such as SRP.

Phase:Architecture and Design

Description:

Ensure that passwords are stored safely and are not reversible.

Phase:Architecture and Design

Description:

Implement password aging functionality that requires passwords be changed after a certain point.

Phase:Architecture and Design

Description:

Use a mechanism for determining the strength of a password and notify the user of weak password use.

Phase:Architecture and Design

Description:

Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.

▼Modes Of Introduction

Phase: Architecture and Design

Note:

N/A

▼Applicable Platforms

Languages

Class: Not Language-Specific(Undetermined Prevalence)

▼Demonstrative Examples

Example 1

In both of these examples, a user is logged in if their given password matches a stored password:

Language: C(Bad code)

unsigned char *check_passwd(char *plaintext) { ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); //Login if hash matches stored hash* if (equal(ctext, secret_password())) { login_user(); } }

Language: Java(Bad code)

String plainText = new String(plainTextIn); MessageDigest encer = MessageDigest.getInstance("SHA"); encer.update(plainTextIn); byte[] digest = password.digest(); //Login if hash matches stored hash* if (equal(digest,secret_password())) { login_user(); }

This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759).

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Fit	Entry Name
CLASP	N/A	N/A	Using password systems
OWASP Top Ten 2004	A3	CWE More Specific	Broken Authentication and Session Management

Taxonomy Name: CLASP

Entry ID: N/A

Fit: N/A

Entry Name: Using password systems

Taxonomy Name: OWASP Top Ten 2004

Entry ID: A3

Fit: CWE More Specific

Entry Name: Broken Authentication and Session Management

▼Related Attack Patterns

ID	Name
CAPEC-16	Dictionary-based Password Attack
CAPEC-49	Password Brute Forcing
CAPEC-509	Kerberoasting
CAPEC-55	Rainbow Table Password Cracking
CAPEC-555	Remote Services with Stolen Credentials
CAPEC-560	Use of Known Domain Credentials
CAPEC-561	Windows Admin Shares with Stolen Credentials
CAPEC-565	Password Spraying
CAPEC-600	Credential Stuffing
CAPEC-652	Use of Known Kerberos Credentials
CAPEC-653	Use of Known Operating System Credentials
CAPEC-70	Try Common or Default Usernames and Passwords