Technical Impact: Gain privileges / assume
Likelihood of Exploit
The following examples show a portion of properties and
configuration files for Java and ASP.NET applications. The files include
username and password information but the password is provided as an empty
This Java example shows a properties file with an empty password
# Java Web App ResourceBundle properties file
The following example shows a portion of a configuration file for an
ASP.Net application. This configuration file includes username and
password information for a connection to a database and the password is
provided as an empty string.
An empty string should never be used as a password as this can allow unauthorized access to the application. Username and password information should not be included in a configuration file or a properties file in clear text. If possible, encrypt this information and avoid CWE-260 and CWE-13.
Phase: System Configuration
Passwords should be at least eight characters long -- the longer the
better. Avoid passwords that are in any way similar to other passwords
you have. Avoid using words that may be found in a dictionary, names
book, on a map, etc. Consider incorporating numbers and/or punctuation
into your password. If you do use common words, consider replacing
letters in that word with numbers and punctuation. However, do not use
"similar-looking" punctuation. For example, it is not a good idea to
change cat to c@t, ca+, (@+, or anything similar. Finally, it is never
appropriate to use an empty string as a password.
the weakness exists independent of other weaknesses)