Category: Credentials Management Errors
Draft
Summary
Weaknesses in this category are related to the management of credentials.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1392 | Use of Default Credentials | This vulnerability occurs when a system, device, or application relies on pre-configured, publicly known credentials like passwords or encryption keys for access to critical functions. |
| CWE-256 | Plaintext Storage of a Password | This vulnerability occurs when an application stores user passwords as readable text instead of using secure, one-way hashing. This insecure practice exposes credentials in memory, files, or databases where attackers can easily retrieve them. |
| CWE-257 | Storing Passwords in a Recoverable Format | This vulnerability occurs when an application stores user passwords in a format that can be easily reversed or decrypted back to their original plaintext form. This practice, often called storing 'recoverable' passwords, defeats the core purpose of password protection. It allows anyone with access to the stored data—including attackers who breach the system or even malicious insiders—to obtain and reuse the actual passwords on other accounts, offering no real security advantage over storing them in plain text. |
| CWE-260 | Password in Configuration File | This vulnerability occurs when an application stores sensitive passwords directly within a configuration file, making them easily readable to anyone with access to that file. |
| CWE-261 | Weak Encoding for Password | Using simple encoding like Base64 to hide a password provides no real security, as it can be easily reversed. |
| CWE-262 | Not Using Password Aging | This vulnerability occurs when a system lacks password expiration policies, allowing users to keep the same password indefinitely. |
| CWE-263 | Password Aging with Long Expiration | The system enforces password changes, but the time allowed between changes is excessively long, weakening security. |
| CWE-324 | Use of a Key Past its Expiration Date | This vulnerability occurs when an application continues to use a cryptographic key or password after its designated expiration date. Doing so dramatically increases the security risk by giving attackers more time to discover or crack the key. |
| CWE-521 | Weak Password Requirements | This vulnerability occurs when an application fails to enforce strong password policies, making user accounts easier to compromise through guessing or automated attacks. |
| CWE-523 | Unprotected Transport of Credentials | This vulnerability occurs when a login page or authentication system transmits user credentials (like usernames and passwords) over a network without proper encryption, exposing them to interception. |
| CWE-549 | Missing Password Field Masking | This vulnerability occurs when an application fails to hide password characters as they are typed, making them visible to anyone who can see the screen. This exposes user credentials to onlookers or screen-capturing malware. |
| CWE-620 | Unverified Password Change | This vulnerability occurs when an application allows a user to set a new password without first verifying their identity through the old password or a secure secondary authentication method. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | This vulnerability occurs when an application's password reset or recovery feature is poorly designed or implemented, allowing attackers to bypass authentication and hijack user accounts. |
| CWE-798 | Use of Hard-coded Credentials | This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files. |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | This vulnerability occurs when a system protects passwords by hashing them, but uses a hashing algorithm that is too fast or computationally cheap. This makes it easy for attackers to crack the stored password hashes using brute-force methods. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1287]. This CWE ID may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016).
Comment:
Some weakness-oriented alternatives might be found under Improper Authentication (CWE-287) or keyword searches for credentials.