Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Use Authentication Mechanisms, Where Appropriate, Correctly

Author(s): William L. Fithen Maturity Levels and Audience Indicators: L4  / D/P  SDLC Life Cycles: Implementation  Copyright: Copyright © Carnegie Mellon University 2005-2012.


Incorrectly using, or failing to use, authentication mechanisms can introduce vulnerability.


The following are frequent design defects that produce vulnerable systems:

  • Using no authentication when it is required.

  • Failure to understand the limitations of the authentication scheme or mechanism. For example, HTTP basic authentication authenticates the user, not the server.

  • Failure to separate authentication and authorization.

  • Designing passwords that are inherently weak and disallowing passwords that are strong. For example, a system that supports only eight-character passwords composed of alphanumeric characters is a poor design (something that many web sites do) [VU#243592].

  • Using weak authentication based on untrustworthy attributes, such as network address information [VU#30308].

  • Disabling a subsystem's built-in access controls through identity sharing. This is a common practice in web sites that use back-end databases.

  • Failing to propagate authentication across a multi-tier application.

  • Designing a secure container for secrets and then exposing the secrets outside the container. This has occurred in several implementations of smart cards.

Applicable Context

Missing, incomplete, or incorrect application of an authentication mechanism.

Impacts Being Mitigated

Security Policies to be Preserved

  • Policy #1

    • Access to computing resources is granted only to authentic individuals.


CitationBibliographic Entry
[VU#243592]Cohen, Cory & Lanza, Jeffrey. Vulnerability Note VU#243592: Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password. (2001).
[VU#30308]Rafail, Jason. Vulnerability Note VU#30308: lpd hostname authentication bypassed with spoofed DNS. (2001).