Should Passwords Be Considered a "Ubiquitious" CVE?

Patrick McBride

Passwords are completely compromised. So much so that we recommend they be placed in a vulnerability class of their own. Since there is no CVE designation designed for this purpose, we recommend a new “Ubiquitous” CVE designation (U-CVE) and drafted a U-CVE for passwords. We are not a certified numbering authority in the CVE program, but believe passwords are uniquely qualified for a modified “Ubiquitous” designation.

 

Instead of “reminding” (nice euphemism for “forcing”) users to create longer, stronger passwords, to not reuse passwords across applications, and to change their passwords frequently, technology vendors need to think of passwords as a core vulnerability - one that cannot be easily patched. These ubiquitous vulnerabilities can be fixed with modern identity management architectures and the implementation of strong authentication methods.

 

CVE-ID

U-CVE-1961-0001

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

Passwords are a ubiquitous vulnerability across technologies–from networking gear, data center equipment, SaaS apps, and cloud resources to operational technologies (OT) and interest of things (IoT).

 

Passwords have been the authentication method of choice since the early 1960s. The dawn of commercial internet beginning in the Netscape days lead to the proliferation of passwords. Today, users have hundreds of passwords to remember (or reuse), and the explosion of IoT devices has only exacerbated the issue.

 

Passwords are a fundamentally flawed method of authenticating users because they are a “shared secret” known by both the user and the server. Thus, passwords can be phished from end-users or stolen in transit with man-in-the-middle or man-on-the-endpoint attacks. Adversaries also exfiltrate entire password databases, decrypt improperly protected passwords, and sell them on the dark web.

 

It no longer matters if a password is “longer,” “stronger,” “unique,” and “frequently changed” when attackers can phish or steal them en masse and leverage them in account takeover or ransomware attacks.

 

Passwords are such a fatally flawed means of authenticating users and that technology vendors need to switch to a foundationally secure authentication method.

 

We believe this warrants a new class of CVE designation, the UCVE (Ubiquitous CVE).

References

Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

Beyond Identity

Date Record Created

20210505

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20210505)

Votes (Legacy)

 

Comments (Legacy)

 

Proposed (Legacy)

N/A

   

Going passwordless may seem like a daunting task, but Beyond Identity makes it easy. Beyond Identity provides secure authentication without adding friction for users.

Request a free demo today with Beyond Identity