This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Empty String Password"
From OWASP
Weilin Zhong (talk | contribs) |
Weilin Zhong (talk | contribs) (Merged with contents provided by Fortify.) |
||
| Line 1: | Line 1: | ||
{{Template:Vulnerability}} | {{Template:Vulnerability}} | ||
| + | {{Template:Fortify}} | ||
| + | |||
| + | ==Abstract== | ||
| + | |||
| + | Using an empty string as a password is insecure. | ||
==Description== | ==Description== | ||
| − | Empty string password makes the authentication as weak as the user names, which are normally public or guessable. This make a brute-force attack against the login interface much easier. | + | It is never appropriate to use an empty string as a password. It is too easy to guess. Empty string password makes the authentication as weak as the user names, which are normally public or guessable. This make a brute-force attack against the login interface much easier. |
==Examples == | ==Examples == | ||
| Line 17: | Line 22: | ||
==Related Countermeasures== | ==Related Countermeasures== | ||
| − | [[:Category:Authentication]] | + | * [[:Category:Authentication]] |
| − | [[Strong Password Policy]] | + | * [[Strong Password Policy]] |
==Categories== | ==Categories== | ||
[[Category:Password Management Vulnerability]] | [[Category:Password Management Vulnerability]] | ||
| − | |||
[[Category:Authentication Vulnerability]] | [[Category:Authentication Vulnerability]] | ||
| − | + | [[Category:Environmental Vulnerability]] | |
| − | + | [[Category:Deployment]] | |
Revision as of 18:34, 21 July 2006
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
- This article includes content generously donated to OWASP by
Abstract
Using an empty string as a password is insecure.
Description
It is never appropriate to use an empty string as a password. It is too easy to guess. Empty string password makes the authentication as weak as the user names, which are normally public or guessable. This make a brute-force attack against the login interface much easier.
Examples
Related Threats
Attackers try to obtain a log in account of the application.
Related Attacks
- Brute-force Attack against application log in interface.
