Tag Archives: CWE- 259

CWE-259 – Use of Hard-coded Password

Read Time:1 Minute, 9 Second

Description

The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-798
CWE-798
CWE-798
CWE-321
CWE-257

 

Consequences

Access Control: Gain Privileges or Assume Identity

If hard-coded passwords are used, it is almost certain that malicious users will gain access through the account in question.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.

Phase: Architecture and Design

Description: 

For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a “first login” mode that requires the user to enter a unique strong password.

Phase: Architecture and Design

Description: 

Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

CVE References