Plaintext Storage Of Password

ID

java.plaintext_storage_of_password

Severity

low

Resource

Information Leak

Language

Java

Tags

CWE:256, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.3.1

Description

Cleartext storage of password.

Rationale

Insecure storage of credentials means that if an attacker gains access to the storage medium (e.g., files, databases), they can easily retrieve and misuse the credentials. Encryption or secure hashing approaches should always be used to protect passwords from being read directly.

Here’s a demonstration in Java that illustrates this vulnerability:

import java.sql.Connection;
import java.sql.DriverManager;
import java.util.Properties;

public class Dummy {

  public void dummy() throws Throwable {
    Properties properties = new Properties();
    FileInputStream streamFileInput = new FileInputStream("../config.properties");
    properties.load(streamFileInput);
    var password = properties.getProperty("password");
    DriverManager.getConnection("192.168.201.37", "admin", password);
  }
}

In this example, passwords are stored as plain text in a Map. If the data structure is compromised, an attacker can access the stored passwords directly.

Remediation

To remediate issues related to plaintext storage of passwords in Java applications, implement the following practices:

  1. Use Secure Hashing Algorithms: Store passwords using a strong, one-way hashing algorithm combined with a salt to protect against dictionary and rainbow table attacks.

  2. Leverage Strong Cryptography: When passwords must be stored for validation, use a combination of hashing and salting. Ensure the algorithms used are well-regarded and up-to-date with industry standards (e.g., PBKDF2, bcrypt, scrypt).

  3. Protect Access to Passwords: Ensure access to stored hashed passwords and salts is tightly controlled using access controls and encryption.

  4. Secure Password Recovery: Implement secure password recovery and reset mechanisms that do not expose the new or old password in plaintext.

Following these practices will significantly enhance the security of password storage in Java applications, reducing the risk of unauthorized access.

References