Network access control (NAC) product has a configuration file with an empty password
Related Attack Patterns (CAPEC)
N/A
Attack TTPs
N/A
Modes of Introduction
Phase
Note
Architecture and Design
N/A
Implementation
REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation
N/A
Common Consequences
Impact: Gain Privileges or Assume Identity — Notes:
Potential Mitigations
System Configuration: Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password. (N/A)
Applicable Platforms
None (Not Language-Specific, Undetermined)
Demonstrative Examples
Intro: The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but the password is provided as an empty string.
Body: This Java example shows a properties file with an empty password string.