logo

Not Using Password Aging

Draft Base
Structure: Simple
Description

This vulnerability occurs when a system lacks password expiration policies, allowing users to keep the same password indefinitely.

Extended Description

Password aging, also known as password rotation, is a security policy that requires users to update their passwords after a set period, such as every 30 or 90 days. Without this enforcement, users may never change their credentials, leaving accounts vulnerable if a password is ever compromised. While once a standard recommendation, mandatory password rotation is now considered less effective against modern threats compared to strong, slow hashing algorithms and multi-factor authentication. Forcing frequent changes can lead to weaker password choices and user frustration. However, many organizations still implement it to meet specific compliance requirements, such as PCI DSS standards for handling payment card data.
Common Consequences 1
Scope: Access Control

Impact: Gain Privileges or Assume Identity

As passwords age, the probability that they are compromised grows.
Potential Mitigations 2
Phase: Architecture and Design
As part of a product's design, require users to change their passwords regularly and avoid reusing previous passwords.
Phase: Implementation
Developers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294].

Effectiveness: Discouraged Common Practice
Demonstrative Examples 1
A system does not enforce the changing of passwords every certain period.
References 9
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
Discussion Thread: Time to retire CWE-262 and CWE-263
Kurt Seifried and other members of the CWE-Research mailing list
03-12-2021
https://www.mail-archive.com/cwe-research-list@mitre.org/msg00018.html(2022-10-11)
ID: REF-1305
Time for Password Expiration to Die
Lance Spitzner
27-06-2021
https://www.sans.org/blog/time-for-password-expiration-to-die/
ID: REF-1289
Time to rethink mandatory password changes
Lorrie Cranor
02-03-2016
https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2016/03/time-rethink-mandatory-password-changes
ID: REF-1290
Security Myths and Passwords
Eugene Spafford
19-04-2006
https://www.cerias.purdue.edu/site/blog/post/password-change-myths/
ID: REF-1291
Password administration for system owners
National Cyber Security Centre
19-11-2018
https://www.ncsc.gov.uk/collection/passwords(2023-04-07)
ID: REF-1292
Digital Identity Guidelines: Authentication and Lifecycle Management(SP 800-63B)
NIST
06-2017
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf(2023-04-07)
ID: REF-1293
Let them paste passwords
National Cyber Security Centre
02-01-2017
https://webarchive.nationalarchives.gov.uk/ukgwa/20240701101110/https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords(2025-08-04)
ID: REF-1294
Likelihood of Exploit

Low

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Related Attack Patterns
Related Weaknesses
ChildOf: Weak Authentication (CWE-1390)
PeerOf: Use of Password System for Primary Authentication (CWE-309)
PeerOf: Use of a Key Past its Expiration Date (CWE-324)
Taxonomy Mapping
  • CLASP