Empty Password in Configuration File
Weakness ID: 258 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

Using an empty string as a password is insecure.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms



+ Likelihood of Exploit

Very High

+ Potential Mitigations

Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Seven Pernicious Kingdoms (primary)700
ChildOfWeakness VariantWeakness Variant260Password in Configuration File
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness BaseWeakness Base521Weak Password Requirements
Research Concepts1000
+ Causal Nature


+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsPassword Management: Empty Password in Configuration File
+ References
J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 2002.
+ Content History
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities
2009-10-29CWE Content TeamMITREInternal
updated Other Notes, Potential Mitigations