Should Passwords Be Considered a "Ubiquitious" CVE?

5/5/2021

Passwords are completely compromised. So much so that we recommend they be placed in a vulnerability class of their own. Since there is no CVE designation designed for this purpose, we recommend a new “Ubiquitous” CVE designation (U-CVE) and drafted a U-CVE for passwords. We are not a certified numbering authority in the CVE program, but believe passwords are uniquely qualified for a modified “Ubiquitous” designation.

Instead of “reminding” (nice euphemism for “forcing”) users to create longer, stronger passwords, to not reuse passwords across applications, and to change their passwords frequently, technology vendors need to think of passwords as a core vulnerability - one that cannot be easily patched. These ubiquitous vulnerabilities can be fixed with modern identity management architectures and the implementation of strong authentication methods.

CVE-ID

U-CVE-1961-0001

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

Passwords are a ubiquitous vulnerability across technologies–from networking gear, data center equipment, SaaS apps, and cloud resources to operational technologies (OT) and interest of things (IoT).

Passwords have been the authentication method of choice since the early 1960s. The dawn of commercial internet beginning in the Netscape days lead to the proliferation of passwords. Today, users have hundreds of passwords to remember (or reuse), and the explosion of IoT devices has only exacerbated the issue.

Passwords are a fundamentally flawed method of authenticating users because they are a “shared secret” known by both the user and the server. Thus, passwords can be phished from end-users or stolen in transit with man-in-the-middle or man-on-the-endpoint attacks. Adversaries also exfiltrate entire password databases, decrypt improperly protected passwords, and sell them on the dark web.

It no longer matters if a password is “longer,” “stronger,” “unique,” and “frequently changed” when attackers can phish or steal them en masse and leverage them in account takeover or ransomware attacks.

Passwords are such a fatally flawed means of authenticating users and that technology vendors need to switch to a foundationally secure authentication method.

We believe this warrants a new class of CVE designation, the UCVE (Ubiquitous CVE).

References

Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

6,022 CVE’s reference passwords related issues
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=password
Root password vulnerabilities:
- Insecure Physical Password Storage
  - https://www.post-it.com/3M/en_US/post-it/products/~/Post-it-Products/Notes/?N=4327+5927575+3294529207+3294857497&rt=r3
- Default Passwords
  - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=password+default
- Password Reuse/Easily Guessed (please don’t blame the intern)
  - https://thehackernews.com/2021/03/solarwinds-blame-intern-for-weak.html
- Poorly Protected Passwords
  - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=password+salt
- Flawed Password Managers
  - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=password+manager
Impact:
- Pwned Passwords (613,584,246 real-world passwords previously exposed in data breaches)
  - https://haveibeenpwned.com/Passwords
- 2020 Verizon Data Breach Investigations Report
  - https://enterprise.verizon.com/content/verizonenterprise/us/en/index/resources/reports/2020-data-breach-investigations-report.pdf
    - Results and Analysis – “As time goes on, it appears that attackers become increasingly efficient and lean more toward attacks such as phishing and credential theft.”
    - (page 20) “Figure 6, at the very beginning of the Results and Analysis section, it is apparent that the use of credentials has been on a meteoric rise.”
    - (page 20) “We found basically no relationship between a credential leak and the amount of credential stuffing that occurred the week after. Instead, it appears to be a ubiquitous process that moves at a more or less consistent pace: Get a leak, append to your dictionary, continue brute-forcing the internet. Rinse, repeat.”

Assigning CNA

Beyond Identity

Date Record Created

20210505

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20210505)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

Going passwordless may seem like a daunting task, but Beyond Identity makes it easy. Beyond Identity provides secure authentication without adding friction for users.