Insecure password storage
Insecure password storage
Description
Insecure storage of password could lead to account compromise. The vulnerability is the result of storing password using insecure methods that are susceptible to unauthorized access or compromise.
The following example shows insecure storage of password credentials in cookies:
response.addCookie(new Cookie("password", password));
Recommendation
Mobile applications must use secure API to store credentials. Android applications may AccountManager to store account
credentials. It also highly recommended for mobile application to use OAuth-based authentication to avoid storing
credentials and prevent attacks like password reuse.
To implement OAuth-based authentication, Cordova application may use the jquery-cordova-oauth2 library. Android
application may use AccountManager API and iOS application may use OAuth2Client library.
Links
- OWASP Insecure Cryptographic Storage
- OWASP Insecure Storage
- CWE-522 Insufficiently Protected Credentials
- CWE-312 Cleartext Storage of Sensitive Information
- CWE-256 Plaintext Storage of a Password
Standards
- OWASP_MASVS_L1:
- MSTG_STORAGE_2
- OWASP_MASVS_L2:
- MSTG_STORAGE_2
- PCI_STANDARDS:
- REQ_2_2
- REQ_3_6
- REQ_3_7
- REQ_6_2