CWE-258

Empty Password in Configuration File

Variant

Incomplete

Description

Using an empty string as a password is insecure.

Parent Weaknesses (ChildOf)

CWE-260: Password in Configuration File...

CWE-521: Weak Password Requirements...

Common Consequences

Scope

Access Control

Impact

Gain Privileges or Assume Identity

Potential Mitigations

System Configuration

Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.

CVE-2022-26117

Network access control (NAC) product has a configuration file with an empty password

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now