The product does not require that users should have strong passwords.

What CVEs are caused by CWE-521?

148 recorded CVEs are attributed to CWE-521, including CVE-2019-18988, CVE-2025-12364, CVE-2026-25715. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Is CWE-521 part of the OWASP Top 10?

CWE-521 maps to OWASP Top Ten 2004: Broken Authentication and Session Management (A3) in the OWASP security taxonomy.

How do you prevent CWE-521?

A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:

How is CWE-521 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-521?

Exploiting CWE-521 can lead to: Gain Privileges or Assume Identity.

Is CWE-521 actively exploited?

Yes. 1 CWE-521 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 148 recorded CVEs.

CWE-521: Weak Password Requirements

Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism.

CWE-521: Weak Password Requirements

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-521?

What CVEs are caused by CWE-521?

Is CWE-521 part of the OWASP Top 10?

How do you prevent CWE-521?

How is CWE-521 detected?

What are the consequences of CWE-521?

Is CWE-521 actively exploited?

References

Stay ahead of CWE-521

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-521?

What CVEs are caused by CWE-521?

Is CWE-521 part of the OWASP Top 10?

How do you prevent CWE-521?

How is CWE-521 detected?

What are the consequences of CWE-521?

Is CWE-521 actively exploited?

References

Stay ahead of CWE-521