This code will run successfully, but anyone who has access to
config.properties can read the value of password. If a devious employee
has access to this information, they can use it to break into the
system.
Example 2
The following code reads a password from the registry and uses the
password to create a new network credential.
NetworkCredential netCred = new
NetworkCredential(username,password,domain);
...
This code will run successfully, but anyone who has access to the
registry key used to store the password can read the value of password.
If a devious employee has access to this information, they can use it to
break into the system
Potential Mitigations
Phase
Description
Avoid storing passwords in easily accessible locations.
Consider storing cryptographic hashes of passwords as an alternative
to storing in plaintext.
Other Notes
Password management issues occur when a password is stored in plaintext in
an application's properties or configuration file. A programmer can attempt
to remedy the password management problem by obscuring the password with an
encoding function, such as base 64 encoding, but this effort does not
adequately protect the password. Storing a plaintext password in a
configuration file allows anyone who can read the file access to the
password-protected resource. Developers sometimes believe that they cannot
defend the application from someone who has access to the configuration, but
this attitude makes an attacker's job easier. Good password management
guidelines require that a password never be stored in plaintext.
Weakness Ordinalities
Ordinality
Description
Primary
(where the
weakness exists independent of other weaknesses)
Description
