CXX.SV.PWD.PLAIN.LENGTH

Attempt to set password with a length less than 15 characters

Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH defect when an application attempts to set a plain text password that is fewer than 15 characters.

Vulnerability and risk

During the authentication process, if a user provides a password that is fewer than 15 characters, a malicious actor could intercept that data and guess the password by using a brute-force attack.

Mitigation and prevention

Use strong passwords by increasing password lengths to 15 or more characters.

Vulnerable code example

Copy
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
    /* Set connections */
    this->qSqlDatabase.setUserName("mojito");
    this->qSqlDatabase.setPassword("J0a1m8");
}

Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH defect on line 5, indicating, “Attempt to set password with a length less than 15 characters. Consider increasing the length to 15 characters or more.” In the Database::connect method, the plain string "J0a1m8" is passed directly to the setPassword API during authentication. The password “J0a1m8" is fewer than 15 characters.

Fixed code example

Copy
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
    /* Set connections */
    QString pwd = "J0a1m8welCome6469";
    this->qSqlDatabase.setUserName("mojito");
    this->qSqlDatabase.setPassword(pwd);
}

Klocwork no longer reports a CXX.SV.PWD.PLAIN.LENGTH defect because the password provided to the setPassword API is at least 15 characters long.