Tag Archives: Plaintext Storage of a Password

CWE-256 – Plaintext Storage of a Password

Read Time:55 Second

Description

Storing a password in plaintext may result in a system compromise.

Password management issues occur when a password is stored in plaintext in an application’s properties, configuration file, or memory. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-522

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Avoid storing passwords in easily accessible locations.

Phase: Architecture and Design

Description: 

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Phase:

Effectiveness: None

Description: 

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

CVE References