1. Home
  2. CWE Database
  3. CWE-257
Base · Medium

CWE-257: Storing Passwords in a Recoverable Format

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significan...

CWE-257 · Base Level ·1 CVEs ·1 Mitigations

Description

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Potential Impact

Confidentiality, Access Control

Gain Privileges or Assume Identity

Access Control

Gain Privileges or Assume Identity

Demonstrative Examples

Both of these examples verify a password by comparing it to a stored compressed version.
Bad
int VerifyAdmin(char *password) {if (strcmp(compress(password), compressed_password)) {printf("Incorrect Password!\n");return(0);}printf("Entering Diagnostic Mode...\n");return(1);}
Bad
int VerifyAdmin(String password) {if (passwd.Equals(compress(password), compressed_password)) {return(0);}
                        //Diagnostic Mode
                        return(1);}
Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database.
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
This Java example shows a properties file with a cleartext username / password pair.
Bad
# Java Web App ResourceBundle properties file
                     ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword...
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext.
Bad
...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>...
Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.

Mitigations & Prevention

Architecture and Design

Use strong, non-reversible encryption to protect stored passwords.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2022-30018A messaging platform serializes all elements of User/Group objects, making private information available to adversaries

CWE-522: Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauth...

CWE-259: Use of Hard-coded Password

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communicati...

Taxonomy Mappings

  • CLASP: — Storing passwords in a recoverable format
  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-257?

CWE-257 (Storing Passwords in a Recoverable Format) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significan...

How can CWE-257 be exploited?

Attackers can exploit CWE-257 (Storing Passwords in a Recoverable Format) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-257?

Key mitigations include: Use strong, non-reversible encryption to protect stored passwords.

What is the severity of CWE-257?

CWE-257 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.