Use of Hard-coded Password

From Guidance Share

Jump to: navigation, search

Contents

Description

The use of a hard-coded password increases the possibility of password guessing tremendously.


Applies To

  • Languages: All
  • Operating platforms: All


Example

The following example shows a hardcoded password compare:

int VerifyAdmin(char *password) {
if (strcmp(password,”68af404b513073584c4b6f22b6c63e6b”)) {
printf(“Incorrect Password!\n”);
return(0)
}


Impact

  • Authentication: If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question.


Vulnerabilities

  • Reliance on a hard-coded password


Countermeasures

Design / Implementation: Ensure that strong, non-reversible encryption is used to protect stored passwords. This mechanism should be used both on disk and when the password is stored in memory.


Vulnerability Patterns


How Tos

Personal tools