SV.PASSWD.HC.MINLEN
Minimum 15 character length Hardcoded Password
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, because the user can be an attacker or has the potential for introducing human error.
Klocwork reports a SV.PASSWD.HC.MINLEN defect when a hardcoded string is used by a method that accepts passwords or by a method that performs encryption.
Vulnerability and risk
Source code is always considered bad for storing passwords and should be avoided whenever possible. However, if a developer needs to store a hard-coded password, its complexity can be increased to reduce the risk of the password being easily compromised. For example, it can have a minimum character length, such as 15, so that it is more difficult for an attacker to guess.
Mitigation and prevention
Use long password as each additional character exponentially increases the number of combinations required to guess the password by all means, including, but not limited to, brute-force attacks.
Vulnerable code example
public static void main(String[] args) throws SQLException {
Properties info = new Properties();
info.setProperty("user", "admin");
info.setProperty("password", "0102030405");
DriverManager.getConnection("jdbc:mysql://localhost:8800", info);
}Klocwork reports a SV.PASSWD.HC.MINLEN defect on line 4, indicating, "String "0102030405" used as password : Having password less than 15 characters can compromise security.
Fixed code example
public static void main(String[] args) throws SQLException {
Properties info = new Properties();
info.setProperty("user", "admin");
info.setProperty("password", "0102030405060708");
DriverManager.getConnection("jdbc:mysql://localhost:8800", info);
}Klockwork no longer reports a defect because the password is 16 characters long.
