Password in Configuration File
Weakness ID: 260 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The software stores a password in a configuration file that might be accessible to actors who do not know the password.

Extended Description

This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Demonstrative Examples

Example 1

Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.

(Bad Code)
Example Language: Java 
webapp.ldap.username=secretUsername
webapp.ldap.password=secretPassword
+ Potential Mitigations

Avoid storing passwords in easily accessible locations.

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Development Concepts699
Seven Pernicious Kingdoms (primary)700
ChildOfWeakness BaseWeakness Base522Insufficiently Protected Credentials
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Resource-specific Weaknesses (primary)631
ParentOfWeakness VariantWeakness Variant13ASP.NET Misconfiguration: Password in Configuration File
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant258Empty Password in Configuration File
Development Concepts (primary)699
Research Concepts (primary)1000
+ Affected Resources
  • File/Directory
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsPassword Management: Password in Configuration File
+ References
J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 2002.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description