CWE-309 使用口令系统作为基本认证机制

Use of Password System for Primary Authentication

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: High


The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.


  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 654 cwe_View_ID: 1000

  • cwe_Nature: PeerOf cwe_CWE_ID: 308 cwe_View_ID: 1000


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
Access Control ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity'] A password authentication mechanism error will almost always result in attackers being authorized as valid users.


Architecture and Design

策略: In order to protect password systems from compromise, the following should be noted:

Architecture and Design


Use a zero-knowledge password protocol, such as SRP.

Architecture and Design


Ensure that passwords are stored safely and are not reversible.

Architecture and Design


Implement password aging functionality that requires passwords be changed after a certain point.

Architecture and Design


Use a mechanism for determining the strength of a password and notify the user of weak password use.

Architecture and Design


Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.


In both of these examples, a user is logged in if their given password matches a stored password:

bad C

unsigned char check_passwd(char plaintext) {
ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... );
//Login if hash matches stored hash
if (equal(ctext, secret_password())) {

bad Java

String plainText = new String(plainTextIn);
MessageDigest encer = MessageDigest.getInstance("SHA");
byte[] digest = password.digest();
//Login if hash matches stored hash
if (equal(digest,secret_password())) {

This code fails to incorporate more than one method of authentication. If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also exhibits CWE-328 (Reversible One-Way Hash) and CWE-759 (Use of a One-Way Hash without a Salt).


映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Using password systems
OWASP Top Ten 2004 A3 CWE More Specific Broken Authentication and Session Management