Difference between revisions of "Not allowing password aging"

From OWASP
Jump to: navigation, search
m (Reverted edits by LacaaCmono (Talk) to last version by KirstenS)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
+
{{Template:Vulnerability}}
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
  
==Overview==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
==Consequences ==
+
==Description==
  
* Authentication: As passwords age, the probability that they are compromised grows.
+
If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.
  
==Exposure period ==
+
'''Consequences'''
  
* Design: Support for password aging mechanisms must be added in the design phase of development.
+
* Authentication: As passwords age, the probability that they are compromised grows.
  
==Platform ==
+
'''Exposure period'''
  
* Languages: All
+
* Design: Support for password aging mechanisms must be added in the design phase of development.
  
* Operating platforms: All
+
'''Platform'''
  
==Required resources ==
+
* Languages: All
 +
* Operating platforms: All
 +
 
 +
'''Required resources'''
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
Medium
 
Medium
  
==Likelihood   of exploit ==
+
'''Likelihood of exploit'''
  
 
Very Low
 
Very Low
  
==Avoidance and mitigation ==
+
The recommendation that users change their passwords regularly and do not reuse passwords is universal among security experts. In order to enforce this, it is useful to have a mechanism that notifies users when passwords are considered old and that requests that they replace them with new, strong passwords.
  
* Design: Ensure that password aging functionality is added to the design of the system, including an alert previous to the time the password is considered obsolete, and useful information for the user concerning the importance of password renewal, and the method.
+
In order for this functionality to be useful, however, it must be accompanied with documentation which stresses how important this practice is and which makes the entire process as simple as possible for the user.
  
==Discussion ==
 
  
The recommendation that users change their passwords regularly and do not reuse passwords is universal among security experts. In order to enforce this, it is useful to have a mechanism that notifies users when passwords are considered old and that requests that they replace them with new, strong passwords.
+
==Risk Factors==
  
In order for this functionality to be useful, however, it must be accompanied with documentation which stresses how important this practice is and which makes the entire process as simple as possible for the user.
+
* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this vulnerability likely or unlikely to actually happen
 +
* Discuss the technical impact of a successful exploit of this vulnerability
 +
* Consider the likely [business impacts] of a successful attack
  
==Examples ==
 
  
* A common example is not having a system to terminate old employee accounts.
+
==Examples==
  
* Not having a system for enforcing the changing of passwords every certain period.
+
* A common example is not having a system to terminate old employee accounts.
 +
* Not having a system for enforcing the changing of passwords every certain period.
  
==Related problems ==
+
==Related [[Attacks]]==
  
* Using password systems
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
* Allowing password aging
 
  
* Using a key past its expiration date
+
==Related [[Vulnerabilities]]==
  
==Categories ==
+
* [[Using password systems]]
 +
* [[Allowing password aging]]
 +
* [[Using a key past its expiration date]]
  
[[Category:Vulnerability]]
 
  
[[Category:Authentication Vulnerability]]
+
==Related [[Controls]]==
  
 +
* Design: Ensure that password aging functionality is added to the design of the system, including an alert previous to the time the password is considered obsolete, and useful information for the user concerning the importance of password renewal, and the method.
 +
 +
 +
 +
==Related [[Technical Impacts]]==
 +
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 +
 +
==References==
 +
Note: A reference to related [http://cwe.mitre.org/ CWE] or [http://capec.mitre.org/ CAPEC] article should be added when exists. Eg:
 +
 +
* [http://cwe.mitre.org/data/definitions/79.html CWE 79].
 +
* http://www.link1.com
 +
* [http://www.link2.com Title for the link2]
 +
 +
 +
 +
__NOTOC__
 +
 +
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Vulnerability]]
 +
[[Category:Authentication Vulnerability]]
 
[[Category:Password Management Vulnerability]]
 
[[Category:Password Management Vulnerability]]

Latest revision as of 14:42, 26 May 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



Last revision (mm/dd/yy): 05/26/2009

Vulnerabilities Table of Contents

Description

If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.

Consequences

  • Authentication: As passwords age, the probability that they are compromised grows.

Exposure period

  • Design: Support for password aging mechanisms must be added in the design phase of development.

Platform

  • Languages: All
  • Operating platforms: All

Required resources

Any

Severity

Medium

Likelihood of exploit

Very Low

The recommendation that users change their passwords regularly and do not reuse passwords is universal among security experts. In order to enforce this, it is useful to have a mechanism that notifies users when passwords are considered old and that requests that they replace them with new, strong passwords.

In order for this functionality to be useful, however, it must be accompanied with documentation which stresses how important this practice is and which makes the entire process as simple as possible for the user.


Risk Factors

  • Talk about the factors that make this vulnerability likely or unlikely to actually happen
  • Discuss the technical impact of a successful exploit of this vulnerability
  • Consider the likely [business impacts] of a successful attack


Examples

  • A common example is not having a system to terminate old employee accounts.
  • Not having a system for enforcing the changing of passwords every certain period.

Related Attacks


Related Vulnerabilities


Related Controls

  • Design: Ensure that password aging functionality is added to the design of the system, including an alert previous to the time the password is considered obsolete, and useful information for the user concerning the importance of password renewal, and the method.


Related Technical Impacts


References

Note: A reference to related CWE or CAPEC article should be added when exists. Eg: