CXX.SV.PWD.PLAIN.LENGTH.ZERO

Attempt to set password with a length of zero characters

Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH.ZERO defect when an application attempts to set a plain text password that is zero characters long.

Vulnerability and risk

During the authentication process, if a user provides a password that zero characters in length, a malicious actor can easily compromise the application or system.

Mitigation and prevention

Use strong passwords by setting passwords that are 15 or more characters.

Vulnerable code example

Copy

1
2
3
4
5
6
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
    /* Set connections */
    this->qSqlDatabase.setUserName("J0a1m8");
    this->qSqlDatabase.setPassword("");
}

Klocwork reports a CXX.SV.PWD.PLAIN.LENGTH.ZERO defect on line 5, indicating, “Attempt to set password with a length of zero characters. Consider increasing the length to 15 characters or more.” In the Database::connect method, the string of zero characters is passed directly to the setPassword API during authentication.

Fixed code example

Copy

1
2
3
4
5
6
7
#include <QtSql/QSqlDatabase>
void Database::connect(Ui::MainWindow *ui){
    /* Set connections */
    QString pwd = "J0a1m8welCome6469";
    this->qSqlDatabase.setUserName("mojito");
    this->qSqlDatabase.setPassword(pwd);
}

Klocwork no longer reports a CXX.SV.PWD.PLAIN.LENGTH.ZERO defect because the password provided to the setPassword API is at least 15 characters long.

Related checkers

External guidance

Security training

Application security training materials provided by Secure Code Warrior.