Weak Encoding for Password

Incomplete Base

Structure: Simple

Description

Using simple encoding like Base64 to hide a password provides no real security, as it can be easily reversed.

Extended Description

This weakness occurs when developers try to protect passwords stored in configuration files or application properties by encoding them with schemes like Base64, hex, or ROT13. While this obscures the password from casual viewing, it is not encryption. Any attacker who discovers the encoded string can trivially decode it back to the original plaintext password, offering no meaningful defense. True password protection requires strong, one-way cryptographic hashing with a salt, or using a dedicated secrets management solution. Encoding is a form of security through obscurity that creates a false sense of safety. Developers should treat any encoded secret as if it were plaintext, because for an attacker, it effectively is.

Common Consequences 1

Scope: Access Control

Impact: Gain Privileges or Assume Identity

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.

Demonstrative Examples 2

The following code reads a password from a properties file and uses the password to connect to a database.

Code Example:Bad
Java
java

This code will run successfully, but anyone with access to config.properties can read the value of password and easily determine that the value has been base 64 encoded. If a devious employee has access to this information, they can use it to break into the system.

The following code reads a password from the registry and uses the password to create a new network credential.

Code Example:Bad
C#
c#

This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system.

References 3

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

Building Secure Software: How to Avoid Security Problems the Right Way

John Viega and Gary McGraw

Addison-Wesley

2002

ID: REF-207

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Related Attack Patterns

55
Path Equivalence: '/./' (Single Dot Directory)

Related Weaknesses

ChildOf:

Insufficiently Protected Credentials (CWE-522)

Taxonomy Mapping

7 Pernicious Kingdoms
OWASP Top Ten 2004

Notes

Other The "crypt" family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.