Weak Cryptography for PasswordsID: 261 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
Obscuring a password with a trivial encoding does not protect
the password.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Gain privileges / assume
identity | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
| | Passwords should be encrypted with keys that are at least 128 bits in
length for adequate security. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-261 ChildOf CWE-903 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code reads a password from a properties file and uses
the password to connect to a database.
- The following code reads a password from the registry and uses the
password to create a new network credential.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | Password Management: Weak Cryptography | |
OWASP Top Ten 2004 | A8 | Insecure Storage | CWE_More_Specific |
References:
- John Viega Gary McGraw .Building Secure Software: How to Avoid Security Problems the
Right Way 1st Edition. Addison-Wesley. Published on 2002.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 19: Use of Weak Password-Based Systems." Page
279'. Published on 2010.