This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Empty String Password"

From OWASP
Jump to: navigation, search
 
 
(11 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{{taggedDocument
 +
| type=inactiveDraft
 +
}}
 +
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 +
{{Template:Fortify}}
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 +
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
 
==Description==
 
==Description==
Empty string password allows attackers that obtain the cooresponding user name, which is normally public or easily guessable, to log in to the application. This also makes a brute-force attack much easier, in which an attacker only needs to guess the right user name in order to get in.
 
  
==Examples ==
+
Using an empty string as a password is insecure.
 +
 
 +
It is never appropriate to use an empty string as a password. It is too easy to guess. An empty string password makes the authentication as weak as the user names, which are normally public or guessable. This makes a brute-force attack against the login interface much easier.
 +
 
 +
==Risk Factors==
 +
 
 +
TBD
 +
 
 +
==Examples==
 +
 
 +
TBD
 +
 
 +
==Related [[Attacks]]==
 +
 
 +
*  [[Brute force attack]] against application log in interface. 
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
*  [[Weak Passwords]]
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* [[:Category:Authentication]]
 +
* [[Strong Password Policy]]
 +
 
 +
 
 +
==Related [[Technical Impacts]]==
  
==Related Threats==
+
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
  
Attackers try to obtain a log in account of the application.
 
  
==Related Attacks==
+
==References==
* [[Brute-force Attack]] against application log in interface. 
+
TBD
  
==Related Vulnerabilities==
 
* [[Weak Passwords]]
 
  
==Related Countermeasures==
 
[[:Category:Authentication]]
 
[[Strong Password Policy]]
 
  
==Categories==
+
__NOTOC__
  
[[Category:Password Management Problem]]
 
  
{{Template:Stub}}
+
[[Category:OWASP ASDR Project]]
 +
[[Category:Password Management Vulnerability]]
 +
[[Category:Authentication Vulnerability]]
 +
[[Category:Environmental Vulnerability]]
 +
[[Category:Deployment]]
 +
[[Category:Vulnerability]]

Latest revision as of 20:41, 31 August 2015

This page contains draft content that has never been finished. Please help OWASP update this content! See FixME.

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by MicroFocus Logo.png

Last revision (mm/dd/yy): 08/31/2015

Vulnerabilities Table of Contents

Description

Using an empty string as a password is insecure.

It is never appropriate to use an empty string as a password. It is too easy to guess. An empty string password makes the authentication as weak as the user names, which are normally public or guessable. This makes a brute-force attack against the login interface much easier.

Risk Factors

TBD

Examples

TBD

Related Attacks


Related Vulnerabilities


Related Controls


Related Technical Impacts


References

TBD

Retrieved from "https://wiki.owasp.org/index.php?title=Empty_String_Password&oldid=199746"