Password Management

Storing a password in plain text can result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's properties or configuration file.
Example 1: The following code reads a password from a properties file and uses the password to set default authentication credentials for URL requests.

...
var fs:FileStream = new FileStream();
fs.open(new File("config.properties"), FileMode.READ);
var password:String = fs.readMultiByte(fs.bytesAvailable, File.systemCharset);

URLRequestDefaults.setLoginCredentialsForHost(hostname, usr, password);
...

This code will run successfully, but anyone who has access to config.properties can read the value of password. Any devious employee with access to this information can use it to break into the system.

Storing a password in plain text could result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's configuration files or other data store.
Example 1: The following code reads a password from the registry and uses the password to create a new network credential.

...
string password = regKey.GetValue(passKey).ToString());
NetworkCredential netCred =
           new NetworkCredential(username,password,domain);
...

This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. Any devious employee with access to this information can use it to break into the system.

Storing a password in plain text could result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's configuration files or other data store.
Example 1: The following code reads a password from the registry and uses the password to connect to a database.

...
RegQueryValueEx(hkey,TEXT(.SQLPWD.),NULL,
                NULL,(LPBYTE)password, &size);
rc = SQLConnect(*hdbc, server, SQL_NTS, uid,
                SQL_NTS, password, SQL_NTS);
...

This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. Any devious employee with access to this information can use it to break into the system.

Storing a password in plain text can result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's properties or configuration file.
Example 1: The following code reads a password from a properties file and uses the password to connect to a database.

...
01  RECORD.
     05  UID              PIC X(10).
     05  PASSWORD         PIC X(10).
...
EXEC CICS
  READ
  FILE('CFG')
  INTO(RECORD)
  RIDFLD(ACCTNO)
  ...
END-EXEC.

EXEC SQL
  CONNECT :UID
  IDENTIFIED BY :PASSWORD
  AT :MYCONN
  USING :MYSERVER
END-EXEC.
...

This code will run successfully, but anyone who has access to CFG can read the value of password. Any devious employee with access to this information can use it to break into the system.

Storing a password in plain text could result in a system compromise.

Password management issues occur when a password is accepted from a user or is stored in plain text in an application's configuration files or database.
Example 1: The following code reads a password from a web form and uses the password to connect to a database.

<cfquery name = "GetCredentials" dataSource = "master">
SELECT   Username, Password
FROM     Credentials
WHERE    DataSource="users"
</cfquery>
...
<cfquery name = "GetSSNs" dataSource = "users"
 username = "#Username#" password = "#Password#">
SELECT   SSN
FROM     Users
</cfquery>
...

This code will run successfully, but anyone who has access to the table master can read the value of Username and Password. Any devious employee with access to this information can use it to break into the system.

Storing a password in plain text can result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's properties or configuration file.
Example 1: The following code reads a password from a JSON file and uses the password to set the request's authorization header:

...
file, _ := os.Open("config.json")
decoder := json.NewDecoder(file)
decoder.Decode(&values)

request.SetBasicAuth(values.Username, values.Password)
...

This code will run successfully, but anyone who has access to config.json can read the value of values.Password. Any devious employee with access to this information can use it to break into the system.

Storing a password in plain text can result in a system compromise.

Password management issues occur when a password is stored in plain text in an application.
Example 1: The following code uses a hardcoded password to connect to an application and retrieve address book entries:

    ...
    obj = new XMLHttpRequest();
    obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
    ...

This code will run successfully, but anyone who accesses the containing web page can view the password.

Storing a password in plain text can result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's properties or configuration file.
Example 1: The following code reads a password from a plist file and uses it to unzip a password-protected file.

...
NSDictionary *dict= [NSDictionary dictionaryWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"Config" ofType:@"plist"]];
NSString *password = [dict valueForKey:@"password"];
[SSZipArchive unzipFileAtPath:zipPath toDestination:destPath overwrite:TRUE password:password error:&error];
...

In the mobile environment, password management is especially important given that there is such a high chance of device loss.

Storing a password in plain text can result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's properties or configuration file.
Example 1: The following code reads a password from a properties file and uses the password to connect to a database.

...
$props = file('config.properties', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$password = $props[0];

$link = mysql_connect($url, $usr, $password);
if (!$link) {
    die('Could not connect: ' . mysql_error());
}
...

This code will run successfully, but anyone who has access to config.properties can read the value of password. Any devious employee with access to this information can use it to break into the system.

Hardcoding or storing a password in plain text could result in a system compromise.

Password management issues occur when a password is hardcoded or stored in plain text in an application's configuration files or other data store. It is never a good idea to hardcode a password. Not only does hardcoding a password allow all of the project's developers to view the password, it also makes fixing the problem extremely difficult. After the code is in production, the password cannot be changed without patching the software. If the account protected by the password is compromised, the owners of the system must choose between security and availability
Example: The following code authenticates the user by reading the password that the user used to log into the database server and comparing it to an expected value.

...
ip_address := OWA_SEC.get_client_ip;
IF ((OWA_SEC.get_user_id = 'scott') AND
    (OWA_SEC.get_password = 'tiger') AND
    (ip_address(1) = 144) and (ip_address(2) = 25)) THEN
        RETURN TRUE;
ELSE
        RETURN FALSE;
END IF;
...

This code will run successfully, but anyone who has access to it will have access to the password. After the program ships, there is likely no way to change the database user "scott" with a password of "tiger" unless the program is patched. An employee with access to this information can use it to break into the system.

Storing a password in plain text can result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's properties or configuration file.
Example 1: The following code reads a password from a properties file and uses the password to connect to a database.

...
props = os.open('config.properties')
password = props[0]

link = MySQLdb.connect (host = "localhost",
                           user = "testuser",
                           passwd = password,
                           db = "test")
...

This code will run successfully, but anyone who has access to config.properties can read the value of password. Any devious employee with access to this information can use it to break into the system.

Storing a password in plain text could result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's configuration files or other data store.
Example 1: The following code reads a password from an environment variable and uses the password to connect to a database.

require 'pg'
...
passwd = ENV['PASSWD']
...
conn = PG::Connection.new(:dbname => "myApp_production", :user => username, :password => passwd, :sslmode => 'require')

This code will run successfully, but anyone who has access to the environment variable used to store the password can read the value of PASSWD. Any devious employee with access to this information can use it to break into the system.

Storing a password in plain text can result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's properties or configuration file.
Example 1: The following code reads a password from a properties file and uses the password to connect to a database.

...
val prop = new Properties()
prop.load(new FileInputStream("config.properties"))
val password = prop.getProperty("password")

DriverManager.getConnection(url, usr, password)
...

This code will run successfully, but anyone who has access to config.properties can read the value of password. Any devious employee with access to this information can use it to break into the system.

Storing a password in plain text can result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's properties or configuration file.
Example 1: The following code reads a password from a plist file and uses it to unzip a password-protected file.

...
var myDict: NSDictionary?
if let path = NSBundle.mainBundle().pathForResource("Config", ofType: "plist") {
    myDict = NSDictionary(contentsOfFile: path)
}
if let dict = myDict {
    zipArchive.unzipOpenFile(zipPath, password:dict["password"])
}
...

In the mobile environment, password management is especially important given that there is such a high chance of device loss.

Storing a password in plain text could result in a system compromise.

Password management issues occur when a password is stored in plain text in an application's properties or configuration file.
Example 1: The following code reads a password from a properties file and uses the password to connect to a database.

...
Private Declare Function GetPrivateProfileString _
  Lib "kernel32" Alias "GetPrivateProfileStringA" _
  (ByVal lpApplicationName As String, _
  ByVal lpKeyName As Any, ByVal lpDefault As String, _
  ByVal lpReturnedString As String, ByVal nSize As Long, _
  ByVal lpFileName As String) As Long
...
Dim password As String
...
password = GetPrivateProfileString("MyApp", "Password", _
  "", value, Len(value), _
   App.Path & "\" & "Config.ini")
...
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=" & password &";"
...

This code will run successfully, but anyone who has access to config.properties can read the value of password. Any devious employee with access to this information can use it to break into the system.