1. Home
  2. CWE Database
  3. CWE-258
Variant · Low-Medium

CWE-258: Empty Password in Configuration File

Using an empty string as a password is insecure.

CWE-258 · Variant Level ·1 CVEs ·1 Mitigations

Description

Using an empty string as a password is insecure.

Potential Impact

Access Control

Gain Privileges or Assume Identity

Demonstrative Examples

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but the password is provided as an empty string.
This Java example shows a properties file with an empty password string.
Bad
# Java Web App ResourceBundle properties file
                     ...webapp.ldap.username=secretUsernamewebapp.ldap.password=...
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database and the password is provided as an empty string.
Bad
...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>...
An empty string should never be used as a password as this can allow unauthorized access to the application. Username and password information should not be included in a configuration file or a properties file in clear text. If possible, encrypt this information and avoid CWE-260 and CWE-13.

Mitigations & Prevention

System Configuration

Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to

Real-World CVE Examples

CVE IDDescription
CVE-2022-26117Network access control (NAC) product has a configuration file with an empty password

CWE-260: Password in Configuration File

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

CWE-521: Weak Password Requirements

The product does not require that users should have strong passwords.

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Password Management: Empty Password in Configuration File

Frequently Asked Questions

What is CWE-258?

CWE-258 (Empty Password in Configuration File) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Using an empty string as a password is insecure.

How can CWE-258 be exploited?

Attackers can exploit CWE-258 (Empty Password in Configuration File) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-258?

Key mitigations include: Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionar

What is the severity of CWE-258?

CWE-258 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 1 real-world CVEs.