CWE-258: Empty Password in Configuration File
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
Using an empty string as a password is insecure.
常见后果
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
潜在缓解措施
阶段: System Configuration
描述: Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.
观察示例
参考: CVE-2022-26117
Network access control (NAC) product has a configuration file with an empty password
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Password Management: Empty Password in Configuration File | - |