Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-309 (使用口令系统作为基本认证机制) — Vulnerability Class 1

1 vulnerabilities classified as CWE-309 (使用口令系统作为基本认证机制). AI Chinese analysis included.

CWE-309 represents a critical authentication weakness where password systems serve as the sole mechanism for verifying user identity, inherently lacking the resilience of multi-factor approaches. This vulnerability is typically exploited by attackers leveraging credential stuffing, brute force attacks, or phishing schemes to harvest or guess passwords, thereby gaining unauthorized access to sensitive systems. Since passwords are susceptible to theft, reuse, and weak selection, relying exclusively on them creates a single point of failure that adversaries can easily compromise. To mitigate this risk, developers must implement multi-factor authentication (MFA) that combines something the user knows with something they have or are. By integrating hardware tokens, biometric verification, or time-based one-time passwords, organizations significantly raise the barrier for attackers, ensuring that compromised credentials alone are insufficient for unauthorized entry.

MITRE CWE Description
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
A password authentication mechanism error will almost always result in attackers being authorized as valid users.
Mitigations (5)
Architecture and DesignIn order to protect password systems from compromise, the following should be noted: Passwords should be stored safely to prevent insider attack and to ensure that -- if a system is compromised -- the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stor…
Architecture and DesignUse a zero-knowledge password protocol, such as SRP.
Architecture and DesignEnsure that passwords are stored safely and are not reversible.
Architecture and DesignImplement password aging functionality that requires passwords be changed after a certain point.
Architecture and DesignUse a mechanism for determining the strength of a password and notify the user of weak password use.
Examples (1)
In both of these examples, a user is logged in if their given password matches a stored password:
unsigned char *check_passwd(char *plaintext) { ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); //Login if hash matches stored hash if (equal(ctext, secret_password())) { login_user(); } }
Bad · C
String plainText = new String(plainTextIn); MessageDigest encer = MessageDigest.getInstance("SHA"); encer.update(plainTextIn); byte[] digest = password.digest(); //Login if hash matches stored hash if (equal(digest,secret_password())) { login_user(); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-45675 IBM Informix Dynamic Server Authentication Bypass — Informix Dynamic Server 8.4 High2025-12-02

Vulnerabilities classified as CWE-309 (使用口令系统作为基本认证机制) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.