Backslash Vulnerability Database 
Weak Password Requirements
Weak Password Requirements
Weak Password Requirements
CWE-521
Overtime trend (NVD)
CVSS severity (NVD, All Time)
Per technology (GHSA, All time)
- 36%-Pip
- 31%-Composer
- 13%-Go
- 18%-Others
Short description
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
Extended description
Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism.
Best practices to prevent this CWE
Phase: Architecture and Design
A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:
Depending on the threat model, the password policy may include several additional attributes.
See NIST 800-63B for further information on password requirements.
Phase: Architecture and Design
Consider a second authentication factor beyond the password, which prevents the password from being a single point of failure. See CWE-308 for further information.
Phase: Implementation
Consider implementing a password complexity meter to inform users when a chosen password meets the required attributes.
