[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

246852

 
 

909

 
 

194149

 
 

282

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Plaintext Storage of a Password

ID: 256Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Variant





Description

Storing a password in plaintext may result in a system compromise.

Likelihood of Exploit: Very High

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Gain privileges / assume identity
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Avoid storing passwords in easily accessible locations.
 
  
Architecture and Design
 
 Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
 
  

Relationships

Related CWETypeViewChain
CWE-256 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following code reads a password from a properties file and uses the password to connect to a database. (Demonstrative Example Id DX-57)
  2. The following code reads a password from the registry and uses the password to create a new network credential. (Demonstrative Example Id DX-58)
  3. The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in plaintext. (Demonstrative Example Id DX-43)

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Password Management
 
 

References:

  1. John Viega Gary McGraw .Building Secure Software: How to Avoid Security Problems the Right Way 1st Edition. Addison-Wesley. Published on 2002.
CVE    9
CVE-2021-21681
CVE-2021-36317
CVE-2020-2291
CVE-2020-2297
...

© SecPod Technologies