Description
The product supports password aging, but the expiration period is too long.
Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. A long expiration provides more time for attackers to conduct password cracking before users are forced to change to a new password. Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).
Potential Impact
Access Control
Gain Privileges or Assume Identity
Mitigations & Prevention
Previously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiration requires a password to be changed within a fixed time window (such as every 90 days). However, this approach has significant limitations in the current threat landscape, and its utility has been reduced in light of the adoption of related protection mechanisms (such
Ensure that password aging is limited so that there is a defined maximum age for passwords. Note that if the expiration window is too short, it can cause users to generate poor or predictable passwords.
Ensure that the user is notified several times leading up to the password expiration.
Create mechanisms to prevent users from reusing passwords or creating similar passwords.
Developers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294].
Related Weaknesses
Taxonomy Mappings
- CLASP: — Allowing password aging
Frequently Asked Questions
What is CWE-263?
CWE-263 (Password Aging with Long Expiration) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product supports password aging, but the expiration period is too long.
How can CWE-263 be exploited?
Attackers can exploit CWE-263 (Password Aging with Long Expiration) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-263?
Key mitigations include: Previously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiratio
What is the severity of CWE-263?
CWE-263 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.