Insecure password storage

Insecure password storage

Risk: medium

Description

Insecure storage of password could lead to account compromise. The vulnerability is the result of storing password using insecure methods that are susceptible to unauthorized access or compromise.

The following example shows insecure storage of password credentials in cookies:

response.addCookie(new Cookie("password", password));

Recommendation

Mobile applications must use secure API to store credentials. Android applications may AccountManager to store account credentials. It also highly recommended for mobile application to use OAuth-based authentication to avoid storing credentials and prevent attacks like password reuse.

To implement OAuth-based authentication, Cordova application may use the jquery-cordova-oauth2 library. Android application may use AccountManager API and iOS application may use OAuth2Client library.

Links

• OWASP Insecure Cryptographic Storage
• OWASP Insecure Storage
• CWE-522 Insufficiently Protected Credentials
• CWE-312 Cleartext Storage of Sensitive Information
• CWE-256 Plaintext Storage of a Password

Standards

• OWASP_MASVS_L1:
  • MSTG_STORAGE_2
• OWASP_MASVS_L2:
  • MSTG_STORAGE_2