Difference between revisions of "Empty String Password"

From OWASP
Jump to: navigation, search
(Merged with contents provided by Fortify.)
Line 2: Line 2:
 
{{Template:Fortify}}
 
{{Template:Fortify}}
  
==Abstract==
+
[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]
 +
 
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 
 +
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
 +
 
 +
[[ASDR Table of Contents]]
 +
__TOC__
  
Using an empty string as a password is insecure.
 
  
 
==Description==
 
==Description==
It is never appropriate to use an empty string as a password. It is too easy to guess. Empty string password makes the authentication as weak as the user names, which are normally public or guessable. This make a brute-force attack against the login interface much easier.
 
  
==Examples ==
+
Using an empty string as a password is insecure.
  
==Related Threats==
+
It is never appropriate to use an empty string as a password. It is too easy to guess. Empty string password makes the authentication as weak as the user names, which are normally public or guessable. This make a brute-force attack against the login interface much easier.
  
 
Attackers try to obtain a log in account of the application.  
 
Attackers try to obtain a log in account of the application.  
  
==Related Attacks==
 
* [[Brute-force Attack]] against application log in interface. 
 
  
==Related Vulnerabilities==
 
* [[Weak Passwords]]
 
  
==Related Countermeasures==
+
==Risk Factors==
 +
 
 +
TBD
 +
 
 +
==Examples==
 +
 
 +
TBD
 +
 
 +
==Related [[Attacks]]==
 +
 
 +
*  [[Brute force attack]] against application log in interface. 
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
*  [[Weak Passwords]]
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 
* [[:Category:Authentication]]
 
* [[:Category:Authentication]]
 
* [[Strong Password Policy]]
 
* [[Strong Password Policy]]
  
==Categories==
 
  
 +
==Related [[Technical Impacts]]==
 +
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 +
 +
==References==
 +
TBD
 +
 +
[[Category:FIXME|add links
 +
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 +
Availability Vulnerability
 +
 +
Authorization Vulnerability
 +
 +
Authentication Vulnerability
 +
 +
Concurrency Vulnerability
 +
 +
Configuration Vulnerability
 +
 +
Cryptographic Vulnerability
 +
 +
Encoding Vulnerability
 +
 +
Error Handling Vulnerability
 +
 +
Input Validation Vulnerability
 +
 +
Logging and Auditing Vulnerability
 +
 +
Session Management Vulnerability]]
 +
 +
__NOTOC__
 +
 +
 +
[[Category:OWASP ASDR Project]]
 
[[Category:Password Management Vulnerability]]  
 
[[Category:Password Management Vulnerability]]  
 
[[Category:Authentication Vulnerability]]
 
[[Category:Authentication Vulnerability]]
 
[[Category:Environmental Vulnerability]]
 
[[Category:Environmental Vulnerability]]
 
[[Category:Deployment]]
 
[[Category:Deployment]]

Revision as of 19:08, 23 September 2008

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Last revision (mm/dd/yy): 09/23/2008

Vulnerabilities Table of Contents

ASDR Table of Contents

Contents


Description

Using an empty string as a password is insecure.

It is never appropriate to use an empty string as a password. It is too easy to guess. Empty string password makes the authentication as weak as the user names, which are normally public or guessable. This make a brute-force attack against the login interface much easier.

Attackers try to obtain a log in account of the application.


Risk Factors

TBD

Examples

TBD

Related Attacks


Related Vulnerabilities


Related Controls


Related Technical Impacts


References

TBD