Difference between revisions of "Empty String Password"

From OWASP
Jump to: navigation, search
(Description)
m (corrected grammar)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 +
{{Template:Fortify}}
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 +
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
 
==Description==
 
==Description==
Empty string password makes the authentication as weak as the user names, which are normally public or guessable. This make a brute-force attack against the login interface much easier.
 
  
==Examples ==
+
Using an empty string as a password is insecure.
 +
 
 +
It is never appropriate to use an empty string as a password. It is too easy to guess. An empty string password makes the authentication as weak as the user names, which are normally public or guessable. This makes a brute-force attack against the login interface much easier.
 +
 
 +
==Risk Factors==
 +
 
 +
TBD
 +
 
 +
==Examples==
 +
 
 +
TBD
 +
 
 +
==Related [[Attacks]]==
 +
 
 +
*  [[Brute force attack]] against application log in interface. 
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
*  [[Weak Passwords]]
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* [[:Category:Authentication]]
 +
* [[Strong Password Policy]]
 +
 
 +
 
 +
==Related [[Technical Impacts]]==
  
==Related Threats==
+
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
  
Attackers try to obtain a log in account of the application.
 
  
==Related Attacks==
+
==References==
* [[Brute-force Attack]] against application log in interface. 
+
TBD
  
==Related Vulnerabilities==
 
* [[Weak Passwords]]
 
  
==Related Countermeasures==
 
[[:Category:Authentication]]
 
[[Strong Password Policy]]
 
  
==Categories==
+
__NOTOC__
  
[[Category:Password Management Problem]]
 
  
{{Template:Stub}}
+
[[Category:OWASP ASDR Project]]
 +
[[Category:Password Management Vulnerability]]
 +
[[Category:Authentication Vulnerability]]
 +
[[Category:Environmental Vulnerability]]
 +
[[Category:Deployment]]
 +
[[Category:Vulnerability]]

Latest revision as of 09:31, 5 September 2012

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Last revision (mm/dd/yy): 09/5/2012

Vulnerabilities Table of Contents

Description

Using an empty string as a password is insecure.

It is never appropriate to use an empty string as a password. It is too easy to guess. An empty string password makes the authentication as weak as the user names, which are normally public or guessable. This makes a brute-force attack against the login interface much easier.

Risk Factors

TBD

Examples

TBD

Related Attacks


Related Vulnerabilities


Related Controls


Related Technical Impacts


References

TBD