CXX.SV.PWD.PLAIN
The application must not display passwords/PINs as clear text
Klocwork reports a CXX.SV.PWD.PLAIN defect when an application attempts to set a password or PIN by using a string written in plain text.
Vulnerability and risk
If the storage location or network is not protected by external encryption, anyone who can access the string will be able to see the password.
During the authentication process, if a user provides a password or a PIN by using a plain text format, a malicious actor can intercept that data and compromise the user account.
Mitigation and prevention
Use encryption techniques to avoid this kind of attack. For example, the QT framework provides an API called encryptToString that encrypts plain text strings.
Vulnerable code example
void Database::connect(Ui::MainWindow *ui){
/* Set connections */
this->qSqlDatabase.setUserName("mojito");
this->qSqlDatabase.setPassword("J0a1m8");
}
Klocwork reports a CXX.SV.PWD.PLAIN defect at line 4, indicating, “Attempt to set password using a plain string. Consider some encryption techniques to encrypt the plain string.” Inside the Database::connect method, the plain string "J0a1m8" is passed directly to the setPassword API .
Fixed code example
void Database::connect(Ui::MainWindow *ui){
/* Set connections */
QString pwd = "J0a1m8";
QString encryptedData = encryptToString(pwd);
this->qSqlDatabase.setUserName("mojito");
this->qSqlDatabase.setPassword(encryptedData);
}
Klocwork no longer reports a CXX.SV.PWD.PLAIN defect because the encryptToString API provided by the QT framework encrypts the text (“J0a1m8") before being passed to the setPassword API.
Related checkers
External guidance
- CERT MSC41-C: Never hard code sensitive information
- CWE-256: Plaintext Storage of a Password
- CWE-259: Use of Hard-coded Password
- CWE-287: Improper Authentication
- CWE-798: Use of Hard-coded Credentials
- OWASP A2:2021 Cryptographic Failures
- OWASP A7:2021 Identification and Authentication Failures
- STIG-ID:V-222554 (APSC-DV-001850): The application must not display passwords/PINs as clear text.
Security training
Application security training materials provided by Secure Code Warrior.
- Sensitive Data Exposure Training Video - Test your skills with a training example
- Insufficiently Protected Credentials Training Video - Test your skills with a training example
- Improper Authentication Training Video - Test your skills with a training example
- Sensitive Data Exposure Training Video - Test your skills with a training example
Extension
This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.