This code will run successfully, but anyone with access to
config.properties can read the value of password and easily determine
that the value has been base 64 encoded. If a devious employee has
access to this information, they can use it to break into the system.
Example 2
The following code reads a password from the registry and uses the
password to create a new network credential.
(Bad Code)
Example
Language: Java
...
string value = regKey.GetValue(passKey).ToString();
This code will run successfully, but anyone who has access to the
registry key used to store the password can read the value of password.
If a devious employee has access to this information, they can use it to
break into the system.
Potential Mitigations
Passwords should be encrypted with keys that are at least 128 bits in
length for adequate security.
Other Notes
Password management issues occur when a password is stored in plaintext in
an application's properties or configuration file. A programmer can attempt
to remedy the password management problem by obscuring the password with an
encoding function, such as base 64 encoding, but this effort does not
adequately protect the password.
The "crypt" family of functions uses weak cryptographic algorithms and
should be avoided. It may be present in some projects for
compatibility.
[REF-9] John Viega and
Gary McGraw. "Building Secure Software: How to Avoid Security Problems the
Right Way". 1st Edition. Addison-Wesley. 2002.
[REF-17] Michael Howard, David LeBlanc
and John Viega. "24 Deadly Sins of Software Security". "Sin 19: Use of Weak Password-Based Systems." Page
279. McGraw-Hill. 2010.
Description
