CXX.SV.PWD.PLAIN.LENGTH.ZERO
Attempt to set password with a length of zero characters
Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH.ZERO defect when an application attempts to set a plain text password that is zero characters long.
Vulnerability and risk
During the authentication process, if a user provides a password that zero characters in length, a malicious actor can easily compromise the application or system.
Mitigation and prevention
Use strong passwords by setting passwords that are 15 or more characters.
Vulnerable code example
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
/* Set connections */
this->qSqlDatabase.setUserName("J0a1m8");
this->qSqlDatabase.setPassword("");
}
Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH.ZERO defect on line 5, indicating, “Attempt to set password with a length of zero characters. Consider increasing the length to 15 characters or more.” In the Database::connect method, the string of zero characters is passed directly to the setPassword API during authentication.
Fixed code example
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
/* Set connections */
QString pwd = "J0a1m8welCome6469";
this->qSqlDatabase.setUserName("mojito");
this->qSqlDatabase.setPassword(pwd);
}
Klocwork no longer reports a CXX.SV.PWD.PLAIN.LENGTH.ZERO defect because the password provided to the setPassword API is at least 15 characters long.
Related checkers
External guidance
- CERT MSC41-C: Never hard code sensitive information
- CWE-256: Plaintext Storage of a Password
- CWE-259: Use of Hard-coded Password
- CWE-287: Improper Authentication
- CWE-798: Use of Hard-coded Credentials
- OWASP A2:2021 Cryptographic Failures
- OWASP A7:2021 Identification and Authentication Failures
- STIG-ID:V-222536 (APSC-DV-001680): The application must enforce a minimum 15-character password length.
Security training
Application security training materials provided by Secure Code Warrior.
- Sensitive Data Exposure Training Video - Test your skills with a training example
- Insufficiently Protected Credentials Training Video - Test your skills with a training example
- Improper Authentication Training Video - Test your skills with a training example
- Sensitive Data Exposure Training Video - Test your skills with a training example