Description
The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
Modes of Introduction:
– Implementation
Likelihood of Exploit: High
Related Weaknesses
CWE-798
CWE-798
CWE-798
CWE-321
CWE-257
Consequences
Access Control: Gain Privileges or Assume Identity
If hard-coded passwords are used, it is almost certain that malicious users will gain access through the account in question.
Potential Mitigations
Phase: Architecture and Design
Description:
For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Phase: Architecture and Design
Description:
For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a “first login” mode that requires the user to enter a unique strong password.
Phase: Architecture and Design
Description:
Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Phase: Architecture and Design
Description:
Phase: Architecture and Design
Description: