Weak Encoding for Password

Incomplete Base

Structure: Simple

Description

Obscuring a password with a trivial encoding does not protect the password.

Extended Description

Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password.

Common Consequences 1

Scope: Access Control

Impact: Gain Privileges or Assume Identity

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.

Demonstrative Examples 2

The following code reads a password from a properties file and uses the password to connect to a database.

Code Example:Bad
Java
java

This code will run successfully, but anyone with access to config.properties can read the value of password and easily determine that the value has been base 64 encoded. If a devious employee has access to this information, they can use it to break into the system.

The following code reads a password from the registry and uses the password to create a new network credential.

Code Example:Bad
C#
c#

This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system.

References 3

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

Building Secure Software: How to Avoid Security Problems the Right Way

John Viega and Gary McGraw

Addison-Wesley

2002

ID: REF-207

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Related Attack Patterns

55
Path Equivalence: '/./' (Single Dot Directory)

Related Weaknesses

ChildOf:

Insufficiently Protected Credentials (CWE-522)

Taxonomy Mapping

7 Pernicious Kingdoms
OWASP Top Ten 2004

Notes

Other The "crypt" family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.