Difference between revisions of "Empty String Password"

From OWASP
Jump to: navigation, search
(Merged with contents provided by Fortify.)
m (corrected grammar)
 
(6 intermediate revisions by one user not shown)
Line 2: Line 2:
 
{{Template:Fortify}}
 
{{Template:Fortify}}
  
==Abstract==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
Using an empty string as a password is insecure.
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
 
==Description==
 
==Description==
It is never appropriate to use an empty string as a password. It is too easy to guess. Empty string password makes the authentication as weak as the user names, which are normally public or guessable. This make a brute-force attack against the login interface much easier.
 
  
==Examples ==
+
Using an empty string as a password is insecure.
  
==Related Threats==
+
It is never appropriate to use an empty string as a password. It is too easy to guess. An empty string password makes the authentication as weak as the user names, which are normally public or guessable. This makes a brute-force attack against the login interface much easier.
  
Attackers try to obtain a log in account of the application.
+
==Risk Factors==
  
==Related Attacks==
+
TBD
* [[Brute-force Attack]] against application log in interface. 
+
  
==Related Vulnerabilities==
+
==Examples==
* [[Weak Passwords]]
+
 
 +
TBD
 +
 
 +
==Related [[Attacks]]==
 +
 
 +
*  [[Brute force attack]] against application log in interface. 
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Weak Passwords]]
 +
 
 +
 
 +
==Related [[Controls]]==
  
==Related Countermeasures==
 
 
* [[:Category:Authentication]]
 
* [[:Category:Authentication]]
 
* [[Strong Password Policy]]
 
* [[Strong Password Policy]]
  
==Categories==
 
  
 +
==Related [[Technical Impacts]]==
 +
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 +
 +
==References==
 +
TBD
 +
 +
 +
 +
__NOTOC__
 +
 +
 +
[[Category:OWASP ASDR Project]]
 
[[Category:Password Management Vulnerability]]  
 
[[Category:Password Management Vulnerability]]  
 
[[Category:Authentication Vulnerability]]
 
[[Category:Authentication Vulnerability]]
 
[[Category:Environmental Vulnerability]]
 
[[Category:Environmental Vulnerability]]
 
[[Category:Deployment]]
 
[[Category:Deployment]]
 +
[[Category:Vulnerability]]

Latest revision as of 09:31, 5 September 2012

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Last revision (mm/dd/yy): 09/5/2012

Vulnerabilities Table of Contents

Description

Using an empty string as a password is insecure.

It is never appropriate to use an empty string as a password. It is too easy to guess. An empty string password makes the authentication as weak as the user names, which are normally public or guessable. This makes a brute-force attack against the login interface much easier.

Risk Factors

TBD

Examples

TBD

Related Attacks


Related Vulnerabilities


Related Controls


Related Technical Impacts


References

TBD