DerScanner
Home / Vulnerability Database / PL or SQL : Unsafe password management
PL/SQL

PL or SQL : Unsafe password management

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session ManagementA6-Sensitive Data Exposure
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
OWASP MASVS
V2: 2.2.(L1/L2/L1+R/L2+R)V8: 8.11.(L1+R/L2+R)
OWASP ASVS
Authentication
PCI DSS 4.0
6.2.48.3.28.6
HIPAA
§164.312 (a)(1)§164.312 (a)(2)(iv)
CWE
CWE-261CWE-1028CWE-1032

Overview

Unsecure work with passwords.

Passwords must be stored in the database in an encrypted form. The use of passwords in an unencrypted form is unsafe. In particular, if an application uses a password stored in plaintext in a configuration file, this can lead to the application data being compromised.

Developers often believe that the data stored in the configuration file is securely protected. This assumption simplifies the attacker’s job. Good password management guidelines require that a password never be stored in plaintext.

Set secure values for password policy settings. Limit the number of authorization attempts, the session length, control the password characters number and the password complexity.

References

  1. OWASP Top 10 2013-A5-Security Misconfiguration
  2. OWASP Top 10 2013-A6-Sensitive Data Exposure
  3. owa_sec - docs.oracle.com
  4. OWASP Top 10 2017 A2-Broken Authentication
  5. OWASP Top 10 2017-A3-Sensitive Data Exposure
  6. CWE-261: Weak Encoding for Password
  7. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
  8. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
LOW

DerScanner Severity Score

Do you want to fix PL or SQL : Unsafe password management in your application?

See also

PL/SQL

PL or SQL : Open redirect

PL/SQL

PL or SQL : Cross-site scripting (XSS)

PL/SQL

PL or SQL : Weak hashing algorithm