Password authentication should be checked against brute force attacks

Klocwork reports a CXX.SV.PWD_INPUT.REVIEW defect when password authentication is used in applications. Designers can review the defects to ensure that their company authentication policy is enforced.

Vulnerability and risk

Not limiting unsuccessful password authentication attempts can lead to brute force attacks. Hackers could try to find a user’s password by repeatedly trying new passwords. The possibility of doing multiple authentication attempts without limiting it can lead to unauthorized access to the application.

Mitigation and prevention

Review password authentication process to ensure that it conforms with your company's authentication policy. Klocwork recommends in general to limit unsuccessful authentication to a maximum of three attempts within a 15-minute interval. After three attempts, the user account should be locked.

Vulnerable code example

void login_form1()
    QLineEdit *editPassword;
    editPassword = new QLineEdit();
    QString password = editPassword->text();

Klocwork reports a CXX.SV.PWD_INPUT.REVIEW defect on line 6 since a password field is identified on line 5. It is the role of the reviewer to ensure that this password matches the policy of the application for unsuccessful authentication attempts.


This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis and PWD_INPUT records for more information.