Insecure password storage
Insecure password storage
Description
Insecure storage of password could lead to account compromise. The vulnerability is the result of storing password using insecure methods that are susceptible to unauthorized access or compromise.
The following example shows insecure storage of password credentials in cookies:
response.addCookie(new Cookie("password", password));
Recommendation
Mobile applications must use secure API to store credentials. Android applications may AccountManager
to store account
credentials. It also highly recommended for mobile application to use OAuth-based authentication to avoid storing
credentials and prevent attacks like password reuse.
To implement OAuth-based authentication, Cordova application may use the jquery-cordova-oauth2
library. Android
application may use AccountManager
API and iOS application may use OAuth2Client
library.
Links
- OWASP Insecure Cryptographic Storage
- OWASP Insecure Storage
- CWE-522 Insufficiently Protected Credentials
- CWE-312 Cleartext Storage of Sensitive Information
- CWE-256 Plaintext Storage of a Password
Standards
- OWASP_MASVS_L1:
- MSTG_STORAGE_2
- OWASP_MASVS_L2:
- MSTG_STORAGE_2