Plaintext Storage of a Password| ID: 256 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Variant |
Description
Storing a password in plaintext may result in a system
compromise.
Likelihood of Exploit: Very High
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Gain privileges / assume
identity | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Avoid storing passwords in easily accessible locations. | | |
| Architecture and Design | | Consider storing cryptographic hashes of passwords as an alternative
to storing in plaintext. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-256 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code reads a password from a properties file and uses
the password to connect to a database. (Demonstrative Example Id DX-57)
- The following code reads a password from the registry and uses the
password to create a new network credential. (Demonstrative Example Id DX-58)
- The following examples show a portion of properties and
configuration files for Java and ASP.NET applications. The files include
username and password information but they are stored in
plaintext. (Demonstrative Example Id DX-43)
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| 7 Pernicious Kingdoms | | Password Management | |
References:
- John Viega Gary McGraw .Building Secure Software: How to Avoid Security Problems the
Right Way 1st Edition. Addison-Wesley. Published on 2002.
