CXX.SV.PWD.PLAIN.LENGTH

Attempt to set password with a length less than 15 characters

Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH defect when an application attempts to set a plain text password that is fewer than 15 characters.

Vulnerability and risk

During the authentication process, if a user provides a password that is fewer than 15 characters, a malicious actor could intercept that data and guess the password by using a brute-force attack.

Mitigation and prevention

Use strong passwords by increasing password lengths to 15 or more characters.

Vulnerable code example

Copy

1
2
3
4
5
6
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
    /* Set connections */
    this->qSqlDatabase.setUserName("mojito");
    this->qSqlDatabase.setPassword("J0a1m8");
}

Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH defect on line 5, indicating, “Attempt to set password with a length less than 15 characters. Consider increasing the length to 15 characters or more.” In the Database::connect method, the plain string "J0a1m8" is passed directly to the setPassword API during authentication. The password “J0a1m8" is fewer than 15 characters.

Fixed code example

Copy

1
2
3
4
5
6
7
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
    /* Set connections */
    QString pwd = "J0a1m8welCome6469";
    this->qSqlDatabase.setUserName("mojito");
    this->qSqlDatabase.setPassword(pwd);
}

Klocwork no longer reports a CXX.SV.PWD.PLAIN.LENGTH defect because the password provided to the setPassword API is at least 15 characters long.

Related checkers

External guidance

Security training

Application security training materials provided by Secure Code Warrior.