CWE-257: Storing Passwords in a Recoverable Format
Storing Passwords in a Recoverable Format
Weakness ID: 257 (Weakness Base)
Status: Incomplete
Description
Description Summary
The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
Time of Introduction
Architecture and Design
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Confidentiality
Access Control
Technical Impact: Gain privileges / assume
identity
User's passwords may be revealed.
Access Control
Technical Impact: Gain privileges / assume
identity
Revealed passwords may be reused elsewhere to impersonate the users in
question.
Likelihood of Exploit
Very High
Demonstrative Examples
Example 1
Both of these examples verify a password by comparing it to a stored
compressed version.
(Bad Code)
Example Languages: C and C++
int VerifyAdmin(char *password) {
if (strcmp(compress(password), compressed_password)) {
printf("Incorrect Password!\n");
return(0);
}
printf("Entering Diagnostic Mode...\n");
return(1);
}
(Bad Code)
Example
Language: Java
int VerifyAdmin(String password) {
if (passwd.Equals(compress(password), compressed_password))
{
return(0);
}
//Diagnostic Mode
return(1);
}
Because a compression algorithm is used instead of a one way hashing
algorithm, an attacker can recover compressed passwords stored in the
database.
Example 2
The following examples show a portion of properties and
configuration files for Java and ASP.NET applications. The files include
username and password information but they are stored in
plaintext.
This Java example shows a properties file with a plaintext username /
password pair.
(Bad Code)
Example
Language: Java
# Java Web App ResourceBundle properties file
...
webapp.ldap.username=secretUsername
webapp.ldap.password=secretPassword
...
The following example shows a portion of a configuration file for an
ASP.Net application. This configuration file includes username and
password information for a connection to a database but the pair is
stored in plaintext.
Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information and avoid CWE-260 and CWE-13.
Potential Mitigations
Phase: Architecture and Design
Use strong, non-reversible encryption to protect stored
passwords.
Other Notes
The use of recoverable passwords significantly increases the chance that
passwords will be used maliciously. In fact, it should be noted that
recoverable encrypted passwords provide no significant benefit over
plain-text passwords since they are subject not only to reuse by malicious
attackers but also by malicious insiders.
Weakness Ordinalities
Ordinality
Description
Primary
(where
the weakness exists independent of other weaknesses)
Description
