Use of Hard-coded Password

Description

The use of a hard-coded password increases the possibility of password guessing tremendously.

Applies To

• Languages: All
• Operating platforms: All

Example

The following example shows a hardcoded password compare:

int VerifyAdmin(char *password) {
if (strcmp(password,”68af404b513073584c4b6f22b6c63e6b”)) {
printf(“Incorrect Password!\n”);
return(0)
}

Impact

• Authentication: If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question.

Vulnerabilities

• Reliance on a hard-coded password

Countermeasures

Design / Implementation: Ensure that strong, non-reversible encryption is used to protect stored passwords. This mechanism should be used both on disk and when the password is stored in memory.

Vulnerability Patterns

• Use of Hard-coded Password Vulnerability Pattern

How Tos

• How To Recognize Use of Hard-coded Password Vulnerabilities
• How To Protect from Use of Hard-coded Password
• How To Perform an Attack Based On Use of Hard-coded Password