1. Home
  2. CWE Database
  3. CWE-262
Base · Medium

CWE-262: Not Using Password Aging

The product does not have a mechanism in place for managing password aging.

CWE-262 · Base Level ·2 Mitigations

Description

The product does not have a mechanism in place for managing password aging.

Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. Without mechanisms such as aging, users might not change their passwords in a timely manner. Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).

Potential Impact

Access Control

Gain Privileges or Assume Identity

Mitigations & Prevention

Architecture and Design

As part of a product's design, require users to change their passwords regularly and avoid reusing previous passwords.

Implementation Discouraged Common Practice

Developers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294].

CWE-1390: Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does ...

CWE-309: Use of Password System for Primary Authentication

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each...

CWE-324: Use of a Key Past its Expiration Date

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by ...

Taxonomy Mappings

  • CLASP: — Not allowing password aging

Frequently Asked Questions

What is CWE-262?

CWE-262 (Not Using Password Aging) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not have a mechanism in place for managing password aging.

How can CWE-262 be exploited?

Attackers can exploit CWE-262 (Not Using Password Aging) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-262?

Key mitigations include: As part of a product's design, require users to change their passwords regularly and avoid reusing previous passwords.

What is the severity of CWE-262?

CWE-262 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.