CWE-521 弱口令要求

Weak Password Requirements

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown


The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.


An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.


  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1003 cwe_Ordinal: Primary


范围 影响 注释
Access Control Gain Privileges or Assume Identity An attacker could easily guess user passwords and gain access user accounts.


Architecture and Design

策略: Enforce usage of strong passwords. A password strength policy should contain the following attributes:

Architecture and Design


Authentication mechanisms should always require sufficiently complex passwords and require that they be periodically changed.


映射的分类名 ImNode ID Fit Mapped Node Name
OWASP Top Ten 2004 A3 CWE More Specific Broken Authentication and Session Management


  • CAPEC-112
  • CAPEC-16
  • CAPEC-49
  • CAPEC-55
  • CAPEC-70