CWE-258: Empty Password in Configuration File
Description
Using an empty string as a password is insecure.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-10-26 00:00:00+00:00
Organization :
MITRE
Example - 1
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but the password is provided as an empty string.
This Java example shows a properties file with an empty password string.
// # Java Web App ResourceBundle properties file//
...webapp.ldap.username=secretUsernamewebapp.ldap.password=...
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database and the password is provided as an empty string.
...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>...
An empty string should never be used as a password as this can allow unauthorized access to the application. Username and password information should not be included in a configuration file or a properties file in clear text. If possible, encrypt this information and avoid CWE-260 and CWE-13.
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.