CXX.SV.PWD.PLAIN

The application must not display passwords/PINs as clear text

Klocwork reports a CXX.SV.PWD.PLAIN defect when an application attempts to set a password or PIN by using a string written in plain text.

Vulnerability and risk

If the storage location or network is not protected by external encryption, anyone who can access the string will be able to see the password.

During the authentication process, if a user provides a password or a PIN by using a plain text format, a malicious actor can intercept that data and compromise the user account.

Mitigation and prevention

Use encryption techniques to avoid this kind of attack. For example, the QT framework provides an API called encryptToString that encrypts plain text strings.

Vulnerable code example

Copy 
void Database::connect(Ui::MainWindow *ui){
    /* Set connections */
    this->qSqlDatabase.setUserName("mojito");
    this->qSqlDatabase.setPassword("J0a1m8");
}

Klocwork reports a CXX.SV.PWD.PLAIN defect at line 4, indicating, “Attempt to set password using a plain string. Consider some encryption techniques to encrypt the plain string.” Inside the Database::connect method, the plain string "J0a1m8" is passed directly to the setPassword API .

Fixed code example

Copy 
void Database::connect(Ui::MainWindow *ui){
    /* Set connections */
    QString pwd = "J0a1m8";
    QString encryptedData = encryptToString(pwd);
    this->qSqlDatabase.setUserName("mojito");
    this->qSqlDatabase.setPassword(encryptedData);
}

Klocwork no longer reports a CXX.SV.PWD.PLAIN defect because the encryptToString API provided by the QT framework encrypts the text (“J0a1m8") before being passed to the setPassword API.

Related checkers

External guidance

Security training

Application security training materials provided by Secure Code Warrior.

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.