Credentials Management Errors

The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.

The product does not have a mechanism in place for managing password aging.

The product supports password aging, but the expiration period is too long.

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

Storing a password in plaintext may result in a system compromise.

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypte...

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attac...

The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exter...

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking at...

Obscuring a password with a trivial encoding does not protect the password.

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...