[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

246852

 
 

909

 
 

194149

 
 

282

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Storing Passwords in a Recoverable Format

ID: 257Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Likelihood of Exploit: Very High

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Access_Control
 
Gain privileges / assume identity
 
User's passwords may be revealed.
 
Access_Control
 
Gain privileges / assume identity
 
Revealed passwords may be reused elsewhere to impersonate the users in question.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Use strong, non-reversible encryption to protect stored passwords.
 
  

Relationships

Related CWETypeViewChain
CWE-257 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples   (Details)

  1. Both of these examples verify a password by comparing it to a stored compressed version. (Demonstrative Example Id DX-59)
  2. The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in plaintext. (Demonstrative Example Id DX-43)

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
CLASP  Storing passwords in a recoverable format
 
 

References:
None

CVE    1
CVE-2021-27485

© SecPod Technologies