1. Home
  2. CWE Database
  3. CWE-261
Base · Medium

CWE-261: Weak Encoding for Password

Obscuring a password with a trivial encoding does not protect the password.

CWE-261 · Base Level ·1 CVEs ·1 Mitigations

Description

Obscuring a password with a trivial encoding does not protect the password.

Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password.

Potential Impact

Access Control

Gain Privileges or Assume Identity

Demonstrative Examples

The following code reads a password from a properties file and uses the password to connect to a database.
Bad
...Properties prop = new Properties();prop.load(new FileInputStream("config.properties"));String password = Base64.decode(prop.getProperty("password"));DriverManager.getConnection(url, usr, password);...
This code will run successfully, but anyone with access to config.properties can read the value of password and easily determine that the value has been base 64 encoded. If a devious employee has access to this information, they can use it to break into the system.
The following code reads a password from the registry and uses the password to create a new network credential.
Bad
...string value = regKey.GetValue(passKey).ToString();byte[] decVal = Convert.FromBase64String(value);NetworkCredential netCred = newNetworkCredential(username,decVal.toString(),domain);...
This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system.

Mitigations & Prevention

General

Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2022-45099network attached storage (NAS) product uses weak encoding for a password

CWE-522: Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauth...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Password Management: Weak Cryptography
  • OWASP Top Ten 2004: A8 — Insecure Storage

Frequently Asked Questions

What is CWE-261?

CWE-261 (Weak Encoding for Password) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. Obscuring a password with a trivial encoding does not protect the password.

How can CWE-261 be exploited?

Attackers can exploit CWE-261 (Weak Encoding for Password) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-261?

Key mitigations include: Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.

What is the severity of CWE-261?

CWE-261 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.