Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-263 (口令老化拥有过长有效期) — Vulnerability Class 1

1 vulnerabilities classified as CWE-263 (口令老化拥有过长有效期). AI Chinese analysis included.

CWE-263 represents a configuration weakness where password aging policies are implemented but configured with excessively long expiration periods. This flaw allows attackers significantly more time to conduct offline password cracking or brute-force attacks against compromised credential databases before the system forces a password rotation. By extending the validity window, the window of opportunity for unauthorized access increases, potentially leading to prolonged unauthorized system access if the password is eventually cracked. Developers mitigate this risk by adhering to established security standards, such as NIST guidelines, which recommend shorter, reasonable expiration intervals that balance security requirements with user convenience. Implementing dynamic password policies that adjust expiration times based on risk factors further enhances protection, ensuring that credentials do not remain valid long enough to be successfully compromised through persistent attack vectors.

MITRE CWE Description
The product supports password aging, but the expiration period is too long. Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. A long expiration provides more time for attackers to conduct password cracking before users are forced to change to a new password. Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
As passwords age, the probability that they are compromised grows.
Mitigations (5)
ImplementationPreviously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiration requires a password to be changed within a fixed time window (such as every 90 days). However, this approach has significant limitations in the current threat landscape, and…
Architecture and DesignEnsure that password aging is limited so that there is a defined maximum age for passwords. Note that if the expiration window is too short, it can cause users to generate poor or predictable passwords.
Architecture and DesignEnsure that the user is notified several times leading up to the password expiration.
Architecture and DesignCreate mechanisms to prevent users from reusing passwords or creating similar passwords.
ImplementationDevelopers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294].
Effectiveness: Discouraged Common Practice
Examples (1)
A system requires the changing of passwords every five years.
CVE IDTitleCVSSSeverityPublished
CVE-2023-1976 Password Aging with Long Expiration in answerdev/answer — answerdev/answer 8.8 -2023-04-11

Vulnerabilities classified as CWE-263 (口令老化拥有过长有效期) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.