This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Empty String Password"
From OWASP
(→Description) |
|||
Line 45: | Line 45: | ||
TBD | TBD | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
__NOTOC__ | __NOTOC__ |
Revision as of 20:50, 7 March 2009
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Last revision (mm/dd/yy): 03/7/2009
Vulnerabilities Table of Contents
Description
Using an empty string as a password is insecure.
It is never appropriate to use an empty string as a password. It is too easy to guess. Empty string password makes the authentication as weak as the user names, which are normally public or guessable. This make a brute-force attack against the login interface much easier.
Risk Factors
TBD
Examples
TBD
Related Attacks
- Brute force attack against application log in interface.
Related Vulnerabilities
Related Controls
Related Technical Impacts
References
TBD