Plaintext Storage of a Password

Incomplete Base

Structure: Simple

Description

This vulnerability occurs when an application stores user passwords as readable text instead of using secure, one-way hashing. This insecure practice exposes credentials in memory, files, or databases where attackers can easily retrieve them.

Extended Description

Storing passwords in plaintext is a critical security failure because it completely bypasses the fundamental purpose of password protection. If an attacker gains access to the storage—through a database breach, a leaked file, or a memory dump—they immediately obtain all user credentials. This often leads to account takeover, data theft, and lateral movement across systems, as users frequently reuse passwords. To prevent this, developers must never store the actual password. Instead, always use a strong, adaptive cryptographic hash function (like Argon2, scrypt, or bcrypt) with a unique salt for each password. This transforms the password into a fixed-length, irreversible string. Even if the hash is exposed, the original password remains computationally infeasible to recover, significantly limiting the damage of a data breach.

Common Consequences 1

Scope: Access Control

Impact: Gain Privileges or Assume Identity

Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 3

Phase: Architecture and Design

Avoid storing passwords in easily accessible locations.

Phase: Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

Effectiveness: None

Demonstrative Examples 4

ID : DX-57

The following code reads a password from a properties file and uses the password to connect to a database.

Code Example:Bad
Java
java

This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system.

ID : DX-58

The following code reads a password from the registry and uses the password to create a new network credential.

Code Example:Bad
Java
java

This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system

ID : DX-43

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.

This Java example shows a properties file with a cleartext username / password pair.

Code Example:Bad
Java
Java Web App ResourceBundle properties file*java

The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext.

Code Example:Bad
ASP.NET
asp.net

Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.

ID : DX-153

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

At least one OT product stored a password in plaintext.

Observed Examples 1

CVE-2022-30275Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.

References 3

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

Building Secure Software: How to Avoid Security Problems the Right Way

John Viega and Gary McGraw

Addison-Wesley

2002

ID: REF-207

OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management

Forescout Vedere Labs

20-06-2022

https://www.forescout.com/resources/ot-icefall-report/

ID: REF-1283

Likelihood of Exploit

High

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

ICS/OT : Undetermined

Modes of Introduction

Architecture and Design

Related Weaknesses

ChildOf:

Insufficiently Protected Credentials (CWE-522)

Taxonomy Mapping

7 Pernicious Kingdoms
Software Fault Patterns
ISA/IEC 62443
ISA/IEC 62443