Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.9)  

Presentation Filter:

CWE-321: Use of Hard-coded Cryptographic Key

Use of Hard-coded Cryptographic Key
Weakness ID: 321 (Weakness Base)Status: Draft
+ Description

Description Summary

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms



+ Common Consequences
Access Control

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity

If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question.

+ Likelihood of Exploit


+ Demonstrative Examples

Example 1

The following code examples attempt to verify a password using a hard-coded cryptographic key.

(Bad Code)
Example Languages: C and C++ 
int VerifyAdmin(char *password) {
if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) {

printf("Incorrect Password!\n");
printf("Entering Diagnostic Mode...\n");
(Bad Code)
Example Language: Java 
public boolean VerifyAdmin(String password) {
if (password.equals("68af404b513073584c4b6f22b6c63e6b")) {
System.out.println("Entering Diagnostic Mode...");
return true;
System.out.println("Incorrect Password!");
return false;
(Bad Code)
Example Language: C# 
int VerifyAdmin(String password) {
if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {
Console.WriteLine("Entering Diagnostic Mode...");
Console.WriteLine("Incorrect Password!");

The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system.

+ Potential Mitigations

Phase: Architecture and Design

Prevention schemes mirror that of hard-coded password storage.

+ Other Notes

The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory320Key Management Errors
Development Concepts699
ChildOfCategoryCategory719OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory720OWASP Top Ten 2007 Category A9 - Insecure Communications
Weaknesses in OWASP Top Ten (2007)629
ChildOfCategoryCategory729OWASP Top Ten 2004 Category A8 - Insecure Storage
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfWeakness BaseWeakness Base798Use of Hard-coded Credentials
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory950SFP Secondary Cluster: Hardcoded Sensitive Data
Software Fault Pattern (SFP) Clusters (primary)888
CanFollowWeakness BaseWeakness Base656Reliance on Security Through Obscurity
Research Concepts1000
PeerOfWeakness BaseWeakness Base259Use of Hard-coded Password
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPUse of hard-coded cryptographic key
OWASP Top Ten 2007A8CWE More SpecificInsecure Cryptographic Storage
OWASP Top Ten 2007A9CWE More SpecificInsecure Communications
OWASP Top Ten 2004A8CWE More SpecificInsecure Storage
Software Fault PatternsSFP33Hardcoded sensitive data
+ Content History
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative_Examples
2010-02-16CWE Content TeamMITREInternal
updated Relationships
2010-09-27CWE Content TeamMITREInternal
updated Relationships
2010-12-13CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Demonstrative_Examples, Relationships
2014-07-30CWE Content TeamMITREInternal
updated Demonstrative_Examples, Relationships, Taxonomy_Mappings
Page Last Updated: December 08, 2015