Weak Password Requirements [CWE-521] — The Hacktivists

Weak Password Requirements weakness described a case where an application implements a poor password policy allowing users to create short or very simple passwords.

Table of Content
1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Severity and CVSS Scoring

1. Description
………………………………

The weakness occurs when the application does not check the complexity or minimum length of the provided passwords. The entire security of the application depends on its authentication mechanism. Weak password requirements allow users to create weak passwords, susceptible to a verity of attacks.

2. Potential impact
………………………………

The vulnerability may allow an attacker to guess users’ passwords and gain unauthorized access to the application.

3. Attack patterns
………………………………

The following attack patterns can be used to exploit cleartext storage of sensitive information according to CAPEC (Common Attack Pattern Enumeration and Classification) classification:

❏ CAPEC-16: CAPEC-16: Dictionary-based Password Attack
❏ CAPEC-49: CAPEC-49: Password Brute Forcing
❏ CAPEC-55: CAPEC-55: Rainbow Table Password Cracking
❏ CAPEC-70: CAPEC-70: Try Common or Default Usernames and Passwords
❏ CAPEC-112: CAPEC-112: Brute force

4. Affected software
………………………………

This vulnerability arises in the application that requires user authentication.

5. Severity and CVSS Scoring
……………………………………..

The severity of this vulnerability depends on the application functionality and privileges of the user account with a weak password.

In the case of modern web applications, the weak password for an administrative account can lead to the web application or even system compromise.

In such a case, the vulnerability is considered critical with CVSSv3 score 8.1:CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Credits: https://www.immuniweb.com/