CWE-309 使用口令系统作为基本认证机制

Use of Password System for Primary Authentication

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: High

基本描述

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 699 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 654 cwe_View_ID: 1000

• cwe_Nature: PeerOf cwe_CWE_ID: 308 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

可能的缓解方案

Architecture and Design

策略:
In order to protect password systems from compromise, the following should be noted:

Architecture and Design

策略:

Use a zero-knowledge password protocol, such as SRP.

Architecture and Design

策略:

Ensure that passwords are stored safely and are not reversible.

Architecture and Design

策略:

Implement password aging functionality that requires passwords be changed after a certain point.

Architecture and Design

策略:

Use a mechanism for determining the strength of a password and notify the user of weak password use.

Architecture and Design

策略:

Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.

示例代码

例

In both of these examples, a user is logged in if their given password matches a stored password:

bad C

bad Java

This code fails to incorporate more than one method of authentication. If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also exhibits CWE-328 (Reversible One-Way Hash) and CWE-759 (Use of a One-Way Hash without a Salt).

分类映射

文章来源于互联网:scap中文网