Plaintext Storage Of Password

ID

go.plaintext_storage_of_password

Severity

low

Resource

Information Leak

Language

Go

Tags

CWE:256, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.3.1

Description

Cleartext storage of password.

Rationale

Insecure storage of credentials means that if an attacker gains access to the storage medium (e.g., files, databases), they can easily retrieve and misuse the credentials. Encryption or secure hashing approaches should always be used to protect passwords from being read directly.

Here’s a demonstration in Golang that illustrates this vulnerability:

package plaintext_storage_of_password

import (
	"encoding/json"
	"fmt"
	"net/url"
	"os"
)

type Configuration struct {
	Password string
}

func main() {
	file, _ := os.Open("conf.json")
	defer file.Close()
	decoder := json.NewDecoder(file)
	configuration := Configuration{}
	err := decoder.Decode(&configuration)
	if err != nil {
		fmt.Println("error:", err)
	}

	url.UserPassword("admin", configuration.Password) // FLAW
}

In this example, passwords are stored as plain text. If the data structure is compromised, an attacker can access the stored passwords directly.

Remediation

To remediate issues related to plaintext storage of passwords in your applications, implement the following practices:

  1. Use Secure Hashing Algorithms: Store passwords using a strong, one-way hashing algorithm combined with a salt to protect against dictionary and rainbow table attacks.

  2. Leverage Strong Cryptography: When passwords must be stored for validation, use a combination of hashing and salting. Ensure the algorithms used are well-regarded and up-to-date with industry standards (e.g., PBKDF2, bcrypt, scrypt).

  3. Protect Access to Passwords: Ensure access to stored hashed passwords and salts is tightly controlled using access controls and encryption.

  4. Secure Password Recovery: Implement secure password recovery and reset mechanisms that do not expose the new or old password in plaintext.

Following these practices will significantly enhance the security of password storage in your applications, reducing the risk of unauthorized access.

References

  • CWE-256 : Plaintext Storage of a Password.