CWE-263: Password Aging with Long Expiration

Description

The product supports password aging, but the expiration period is too long.

Extended Description

Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. A long expiration provides more time for attackers to conduct password cracking before users are forced to change to a new password. Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).

ThreatScore

Threat Mapped score: 3.25

Industry: Finiancial

Threat priority: P2 - Serious (High)

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

Attack TTPs

T1110.001 — Password Guessing (credential-access)
T1133 — External Remote Services (persistence, initial-access)
T1110.002 — Password Cracking (credential-access)
T1558 — Steal or Forge Kerberos Tickets (credential-access)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1021 — Remote Services (lateral-movement)
T1078.001 — Default Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1110.003 — Password Spraying (credential-access)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1110.004 — Credential Stuffing (credential-access)
T1114.002 — Remote Email Collection (collection)
T1558.003 — Kerberoasting (credential-access)

Malware

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
Architecture and Design	COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

Common Consequences

Impact: Gain Privileges or Assume Identity — Notes: As passwords age, the probability that they are compromised grows.

Potential Mitigations

Architecture and Design: Ensure that password aging is limited so that there is a defined maximum age for passwords. Note that if the expiration window is too short, it can cause users to generate poor or predictable passwords. (N/A)
Architecture and Design: Ensure that the user is notified several times leading up to the password expiration. (N/A)
Architecture and Design: Create mechanisms to prevent users from reusing passwords or creating similar passwords. (N/A)
Implementation: Developers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294]. (Discouraged Common Practice)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: A system requires the changing of passwords every five years.

Notes

No notes available.

← Back to CWE list