CXX.SV.PWD.PLAIN.LENGTH
Attempt to set password with a length less than 15 characters
Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH defect when an application attempts to set a plain text password that is fewer than 15 characters.
Vulnerability and risk
During the authentication process, if a user provides a password that is fewer than 15 characters, a malicious actor could intercept that data and guess the password by using a brute-force attack.
Mitigation and prevention
Use strong passwords by increasing password lengths to 15 or more characters.
Vulnerable code example
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
/* Set connections */
this->qSqlDatabase.setUserName("mojito");
this->qSqlDatabase.setPassword("J0a1m8");
}
Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH defect on line 5, indicating, “Attempt to set password with a length less than 15 characters. Consider increasing the length to 15 characters or more.” In the Database::connect method, the plain string "J0a1m8" is passed directly to the setPassword API during authentication. The password “J0a1m8" is fewer than 15 characters.
Fixed code example
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
/* Set connections */
QString pwd = "J0a1m8welCome6469";
this->qSqlDatabase.setUserName("mojito");
this->qSqlDatabase.setPassword(pwd);
}
Klocwork no longer reports a CXX.SV.PWD.PLAIN.LENGTH defect because the password provided to the setPassword API is at least 15 characters long.
Related checkers
External guidance
- CERT MSC41-C: Never hard code sensitive information
- CWE-256: Plaintext Storage of a Password
- CWE-259: Use of Hard-coded Password
- CWE-287: Improper Authentication
- CWE-798: Use of Hard-coded Credentials
- OWASP A2:2021 Cryptographic Failures
- OWASP A7:2021 Identification and Authentication Failures
- STIG-ID:V-222536 (APSC-DV-001680): The application must enforce a minimum 15-character password length.
Security training
Application security training materials provided by Secure Code Warrior.
- Sensitive Data Exposure Training Video - Test your skills with a training example
- Insufficiently Protected Credentials Training Video - Test your skills with a training example
- Improper Authentication Training Video - Test your skills with a training example
- Sensitive Data Exposure Training Video - Test your skills with a training example