Tag Archives: CWE- 258

CWE-258 – Empty Password in Configuration File

Read Time:45 Second

Description

Using an empty string as a password is insecure.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-260
CWE-521

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: System Configuration

Description: 

Passwords should be at least eight characters long — the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use “similar-looking” punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.

CVE References