Weak Password Requirements

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.


Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism.

See Also

Authenticate Actors

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is i...

SFP Secondary Cluster: Insecure Authentication Policy

This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.

Credentials Management Errors

Weaknesses in this category are related to the management of credentials.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses without Software Fault Patterns

CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...

CWE Cross-section

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful t...

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.