Credentials Management Errors
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Summary
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to the management of credentials.
Weaknesses
The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.
Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.
The software stores a password in a configuration file that might be accessible to actors who do not know the password.
Storing a password in plaintext may result in a system compromise.
The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypte...
Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attac...
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exte...
The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking a...
Obscuring a password with a trivial encoding does not protect the password.
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
Concepts
This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...
Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.