Support
Eng
òÕÓ
Company
Home
Services
Solutions
Documentation
News and Events
 
 
 
Knowledgebase
Downloads
Glossary
Ask a Question
Search:     Advanced search
SHALB.com / Security Knowledgebase / Web Application Security / Vulnerability / Password Management Vulnerability / Password Management: Weak Cryptography
server monitoring

Password Management: Weak Cryptography
Article ID: 204
Last updated: 09 May, 2008
Print
Email to friend
Views: 354
Posted: 09 May, 2008
by: Tech Pubs S.
Updated: 09 May, 2008
by: Tech Pubs S.

Abstract

Obscuring a password with a trivial encoding does not protect the password.

Description

Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password.

Examples

The following code reads a password from a properties file and uses the password to connect to a database.

	...
	Properties prop = new Properties();
	prop.load(new FileInputStream("config.properties"));
	String password = Base64.decode(prop.getProperty("password"));
	
	DriverManager.getConnection(url, usr, password);
	...

This code will run successfully, but anyone with access to config.properties can read the value of password and easily determine that the value has been base 64 encoded. If a devious employee has access to this information, they can use it to break into the system.
This article was:   Helpful | Not Helpful
Prev   Next
Password Management: Hardcoded Password     Password Plaintext Storage

server monitoring

¿ 2010 "SHALB.com" All rights reserved
SHALB Home
Services
Solutions
Documentation
News and Events