CXX.SV.PWD.PLAIN.LENGTH.ZERO

Attempt to set password with a length of zero characters

Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH.ZERO defect when an application attempts to set a plain text password that is zero characters long.

Vulnerability and risk

During the authentication process, if a user provides a password that zero characters in length, a malicious actor can easily compromise the application or system.

Mitigation and prevention

Use strong passwords by setting passwords that are 15 or more characters.

Vulnerable code example

Copy
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
    /* Set connections */
    this->qSqlDatabase.setUserName("J0a1m8");
    this->qSqlDatabase.setPassword("");
}

Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH.ZERO defect on line 5, indicating, “Attempt to set password with a length of zero characters. Consider increasing the length to 15 characters or more.” In the Database::connect method, the string of zero characters is passed directly to the setPassword API during authentication.

Fixed code example

Copy
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
    /* Set connections */
    QString pwd = "J0a1m8welCome6469";
    this->qSqlDatabase.setUserName("mojito");
    this->qSqlDatabase.setPassword(pwd);
}

Klocwork no longer reports a CXX.SV.PWD.PLAIN.LENGTH.ZERO defect because the password provided to the setPassword API is at least 15 characters long.