DerScanner
Home / Vulnerability Database / Java : Unsafe password storage
Java

Java : Unsafe password storage

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session ManagementA6-Sensitive Data Exposure
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
OWASP MASVS
V2: 2.14.(L2/L2+R)V8: 8.11.(L1+R/L2+R)
OWASP ASVS
Stored CryptographyStored CryptographyAuthenticationAuthenticationAuthenticationAuthenticationAuthentication
PCI DSS 4.0
6.2.48.3.2
HIPAA
§164.312 (a)(2)(iv)
CWE
CWE-319CWE-1028CWE-1032

Overview

The trivial encoding does not provide the required level of password protection.

Storing passwords in unencrypted form is insecure. A developer can use encoding (e.g., base64), but this is not enough to store passwords securely.

References

  1. OWASP Top 10 2013-A6-Sensitive Data Exposure
  2. CWE-261: Weak Encoding for Password: Weak Cryptography for Passwords
  3. CWE-312: Cleartext Storage of Sensitive Information
  4. OWASP Top 10 2017 A2-Broken Authentication
  5. OWASP Top 10 2017-A3-Sensitive Data Exposure
  6. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
  7. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
MEDIUM

DerScanner Severity Score

Do you want to fix Java : Unsafe password storage in your application?

See also

Java

Java : Race condition

Java

Java : Text4Shell Vulnerability

Java

Java : JNI usage