CWE-263Password Aging with Long Expiration

PUBLISHEDweakness recordLow
released 2006-07-19 · last modified 2025-12-11

Metadata

CWE ID:
CWE-263
摘要:
Base
结构:
Simple
状态:
Draft
发布日期:
2006-07-19
更新日期:
2025-12-11

名称

Password Aging with Long Expiration

描述

The product supports password aging, but the expiration period is too long.

Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. A long expiration provides more time for attackers to conduct password cracking before users are forced to change to a new password. Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).

常见后果

范围:
Access Control
影响:
Gain Privileges or Assume Identity
注释:
As passwords age, the probability that they are compromised grows.

相关 CWE