CWE-309: Use of Password System for Primary Authentication
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
Last updated
Overview
CWE-309 (Use of Password System for Primary Authentication) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical.
Real-world CVEs
1 recorded CVEs are caused by CWE-309 (Use of Password System for Primary Authentication). The highest-severity and most recent are shown first. 0 new CWE-309 CVEs have been recorded so far in 2026 (1 in 2025).
Common consequences
What can happen when CWE-309 is exploited.
Bypass Protection Mechanism, Gain Privileges or Assume Identity
Affects: Access Control
A password authentication mechanism error will almost always result in attackers being authorized as valid users.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-309, grouped by where in the lifecycle they apply.
In order to protect password systems from compromise, the following should be noted:
- Passwords should be stored safely to prevent insider attack and to ensure that -- if a system is compromised -- the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stored encrypted, in a non-reversible state, such that the original text password cannot be extracted from the stored value.
- Password aging should be strictly enforced to ensure that passwords do not remain unchanged for long periods of time. The longer a password remains in use, the higher the probability that it has been compromised. For this reason, passwords should require refreshing periodically, and users should be informed of the risk of passwords which remain in use for too long.
- Password strength should be enforced intelligently. Rather than restrict passwords to specific content, or specific length, users should be encouraged to use upper and lower case letters, numbers, and symbols in their passwords. The system should also ensure that no passwords are derived from dictionary words.
Use a zero-knowledge password protocol, such as SRP.
Ensure that passwords are stored safely and are not reversible.
Implement password aging functionality that requires passwords be changed after a certain point.
Use a mechanism for determining the strength of a password and notify the user of weak password use.
Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In both of these examples, a user is logged in if their given password matches a stored password:
Vulnerable example
unsigned char *check_passwd(char *plaintext) {Vulnerable example
//Login if hash matches stored hash
String plainText = new String(plainTextIn);This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759).
Terminology & mappings
Mapped taxonomies
- CLASP: Using password systems
- OWASP Top Ten 2004: Broken Authentication and Session Management (A3) — CWE More Specific fit
Attack patterns
CAPEC attack patterns that exploit this weakness.
- CAPEC-16: Dictionary-based Password Attack
- CAPEC-49: Password Brute Forcing
- CAPEC-509: Kerberoasting
- CAPEC-55: Rainbow Table Password Cracking
- CAPEC-555: Remote Services with Stolen Credentials
- CAPEC-560: Use of Known Domain Credentials
- CAPEC-561: Windows Admin Shares with Stolen Credentials
- CAPEC-565: Password Spraying
- CAPEC-600: Credential Stuffing
- CAPEC-652: Use of Known Kerberos Credentials
- CAPEC-653: Use of Known Operating System Credentials
- CAPEC-70: Try Common or Default Usernames and Passwords
Frequently asked questions
Common questions about CWE-309.
- What is CWE-309?
- The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
- What CVEs are caused by CWE-309?
- 1 recorded CVEs are attributed to CWE-309, including CVE-2024-45675.
- Is CWE-309 part of the OWASP Top 10?
- CWE-309 maps to OWASP Top Ten 2004: Broken Authentication and Session Management (A3) in the OWASP security taxonomy.
- How do you prevent CWE-309?
- In order to protect password systems from compromise, the following should be noted:
- What are the consequences of CWE-309?
- Exploiting CWE-309 can lead to: Bypass Protection Mechanism, Gain Privileges or Assume Identity.
- Is CWE-309 actively exploited?
- 1 recorded CVEs are caused by CWE-309; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-309) (opens in a new tab)
- CWE-309 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-309
Get alerted the moment a new CWE-309 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.