CWE-309: Use of Password System for Primary Authentication
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
Last updated
Overview
CWE-309 (Use of Password System for Primary Authentication) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical.
Real-world CVEs
1 recorded CVEs are caused by CWE-309 (Use of Password System for Primary Authentication). The highest-severity and most recent are shown first. 0 new CWE-309 CVEs have been recorded so far in 2026 (1 in 2025).
Common consequences
What can happen when CWE-309 is exploited.
Bypass Protection Mechanism, Gain Privileges or Assume Identity
Affects: Access Control
A password authentication mechanism error will almost always result in attackers being authorized as valid users.