CWE
Home > CWE List > CWE-260 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-260 Individual Dictionary Definition (Draft 9)

Password in Configuration File
Weakness ID
Status: Incomplete

260 (Weakness Variant)

Description

Summary

Storing a password in a configuration file may result in system compromise. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.

Affected Resource

File/Directory

Potential Mitigations

Avoid storing passwords in easily accessible locations.

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

References

J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 2002.

Relationships
NatureTypeIDName
ChildOfWeakness BaseWeakness BaseWeakness Base522Insufficiently Protected Credentials
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
ParentOfWeakness VariantWeakness VariantWeakness Variant13ASP.NET Misconfiguration: Password in Configuration File
ParentOfWeakness VariantWeakness VariantWeakness Variant258Empty Password in Configuration File
Source Taxonomies

7 Pernicious Kingdoms - Password Management: Password in Configuration File

Applicable Platforms

All

Back to top
Page Last Updated: April 22, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us