Difference between revisions of "Empty String Password"

From OWASP
Jump to: navigation, search
 
m (corrected grammar)
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 +
{{Template:Fortify}}
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 +
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
 
==Description==
 
==Description==
Empty string password allows attackers that obtain the cooresponding user name, which is normally public or easily guessable, to log in to the application. This also makes a brute-force attack much easier, in which an attacker only needs to guess the right user name in order to get in.
 
  
==Examples ==
+
Using an empty string as a password is insecure.
 +
 
 +
It is never appropriate to use an empty string as a password. It is too easy to guess. An empty string password makes the authentication as weak as the user names, which are normally public or guessable. This makes a brute-force attack against the login interface much easier.
 +
 
 +
==Risk Factors==
 +
 
 +
TBD
 +
 
 +
==Examples==
 +
 
 +
TBD
 +
 
 +
==Related [[Attacks]]==
 +
 
 +
*  [[Brute force attack]] against application log in interface. 
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
*  [[Weak Passwords]]
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* [[:Category:Authentication]]
 +
* [[Strong Password Policy]]
 +
 
 +
 
 +
==Related [[Technical Impacts]]==
  
==Related Threats==
+
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
  
Attackers try to obtain a log in account of the application.
 
  
==Related Attacks==
+
==References==
* [[Brute-force Attack]] against application log in interface. 
+
TBD
  
==Related Vulnerabilities==
 
* [[Weak Passwords]]
 
  
==Related Countermeasures==
 
[[:Category:Authentication]]
 
[[Strong Password Policy]]
 
  
==Categories==
+
__NOTOC__
  
[[Category:Password Management Problem]]
 
  
{{Template:Stub}}
+
[[Category:OWASP ASDR Project]]
 +
[[Category:Password Management Vulnerability]]
 +
[[Category:Authentication Vulnerability]]
 +
[[Category:Environmental Vulnerability]]
 +
[[Category:Deployment]]
 +
[[Category:Vulnerability]]

Revision as of 09:31, 5 September 2012

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by Fortify.JPG.

Last revision (mm/dd/yy): 09/5/2012

Vulnerabilities Table of Contents

Description

Using an empty string as a password is insecure.

It is never appropriate to use an empty string as a password. It is too easy to guess. An empty string password makes the authentication as weak as the user names, which are normally public or guessable. This makes a brute-force attack against the login interface much easier.

Risk Factors

TBD

Examples

TBD

Related Attacks


Related Vulnerabilities


Related Controls


Related Technical Impacts


References

TBD