Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-261 (口令使用弱密码学算法) — Vulnerability Class 35

35 vulnerabilities classified as CWE-261 (口令使用弱密码学算法). AI Chinese analysis included.

CWE-261 represents a critical weakness where developers mistakenly believe that trivial encoding, such as Base64, provides adequate security for stored passwords. This approach fails because encoding is merely a transformation for data representation, not a cryptographic protection mechanism, allowing anyone with access to the encoded string to easily reverse it and retrieve the original plaintext credentials. Attackers typically exploit this vulnerability by accessing configuration files or database dumps, decoding the weakly obscured passwords, and gaining unauthorized access to sensitive systems. To prevent this, developers must implement robust cryptographic hashing algorithms like bcrypt, Argon2, or PBKDF2 with appropriate salting. These methods ensure that even if the storage is compromised, the original passwords remain computationally infeasible to recover, thereby maintaining the integrity and confidentiality of user authentication data.

MITRE CWE Description
Obscuring a password with a trivial encoding does not protect the password. Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (1)
Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.
Examples (2)
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = Base64.decode(prop.getProperty("password")); DriverManager.getConnection(url, usr, password); ...
Bad · Java
The following code reads a password from the registry and uses the password to create a new network credential.
... string value = regKey.GetValue(passKey).ToString(); byte[] decVal = Convert.FromBase64String(value); NetworkCredential netCred = newNetworkCredential(username,decVal.toString(),domain); ...
Bad · C#
CVE IDTitleCVSSSeverityPublished
CVE-2021-21507 Dell EMC Networking X-Series 加密问题漏洞 — VRTX Switch Modules 8.8 High2021-04-30
CVE-2013-1053 Insecure crypto for storing passwords — remote-login-service 5.5 Medium2021-01-13
CVE-2020-10919 C-More HMI EA9 加密问题漏洞 — HMI EA9 5.9 -2020-07-23
CVE-2020-10275 RVD#2565: Weak token generation for the REST API. — MiR100 8.1 -2020-06-24
CVE-2017-7905 多款GE产品安全漏洞 — GE Multilin SR, UR, and URplus Protective Relays 9.8 -2017-06-30

Vulnerabilities classified as CWE-261 (口令使用弱密码学算法) represent 35 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.