Inadequate Encryption Strength

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.


A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

See Also

OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure

Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2017.

Encrypt Data

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries....

SFP Secondary Cluster: Weak Cryptography

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses for Simplified Mapping of Published Vulnerabilities

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the N...

Weaknesses without Software Fault Patterns

CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.