1. Home
  2. CWE Database
  3. CWE-309
Base · Medium

CWE-309: Use of Password System for Primary Authentication

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

CWE-309 · Base Level ·6 Mitigations

Description

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

Potential Impact

Access Control

Bypass Protection Mechanism, Gain Privileges or Assume Identity

Demonstrative Examples

In both of these examples, a user is logged in if their given password matches a stored password:
Bad
unsigned char *check_passwd(char *plaintext) {ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... );
                        //Login if hash matches stored hash
                        if (equal(ctext, secret_password())) {login_user();}}
Bad
String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest();
                     //Login if hash matches stored hash
                     if (equal(digest,secret_password())) {login_user();}
This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759).

Mitigations & Prevention

Architecture and Design

In order to protect password systems from compromise, the following should be noted:

Architecture and Design

Use a zero-knowledge password protocol, such as SRP.

Architecture and Design

Ensure that passwords are stored safely and are not reversible.

Architecture and Design

Implement password aging functionality that requires passwords be changed after a certain point.

Architecture and Design

Use a mechanism for determining the strength of a password and notify the user of weak password use.

Architecture and Design

Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.

CWE-1390: Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does ...

CWE-654: Reliance on a Single Factor in a Security Decision

A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrit...

CWE-308: Use of Single-factor Authentication

The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that sho...

Taxonomy Mappings

  • CLASP: — Using password systems
  • OWASP Top Ten 2004: A3 — Broken Authentication and Session Management

Frequently Asked Questions

What is CWE-309?

CWE-309 (Use of Password System for Primary Authentication) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

How can CWE-309 be exploited?

Attackers can exploit CWE-309 (Use of Password System for Primary Authentication) to bypass protection mechanism, gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-309?

Key mitigations include: In order to protect password systems from compromise, the following should be noted:

What is the severity of CWE-309?

CWE-309 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.