Corgea LogoCorgea Security Hub

CWE-1391: Use of Weak Credentials

Learn about CWE-1391 (Use of Weak Credentials), its security impact, exploitation methods, and prevention guidelines.

What is Use of Weak Credentials?

• Overview: This vulnerability occurs when software uses weak credentials, such as default or hard-coded passwords, which attackers can easily guess or derive. It undermines authentication protocols by allowing unauthorized access without the need for brute force attacks.

• Exploitation Methods:

  • Attackers exploit weak credentials by guessing or calculating them using known patterns or defaults.
  • Common attack patterns include scanning for default passwords, using credential stuffing with known password lists, and deriving keys through predictable generation methods.

• Security Impact:

  • Direct consequences include unauthorized access to systems and data, leading to potential data breaches.
  • Potential cascading effects include lateral movement within networks, further exploiting other vulnerabilities, and compromising additional systems.
  • Business impact involves loss of customer trust, financial loss, regulatory penalties, and damage to brand reputation.

• Prevention Guidelines:

  • Avoid using hard-coded credentials in code; instead, use environment variables or secure vaults.
  • Enforce strong, unique passwords and keys for each deployment and encourage regular updates.
  • Implement and enforce multi-factor authentication to add an additional layer of security.
  • Use tools like code analyzers and security scanners to detect weak credentials and vulnerabilities in the codebase.
Corgea can automatically detect and fix Use of Weak Credentials in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: ICS/OT, Not Technology-Specific

Vulnerable Code Example

# This is a vulnerable code example demonstrating weak credentials.
# The use of a hard-coded password makes it easy for attackers to gain unauthorized access.

def authenticate_user(username, password):
    # Hard-coded password (weak credential)
    if username == "admin" and password == "password123":
        return True
    return False

# This function can be easily exploited if the credentials are guessed by an attacker.

How to fix Use of Weak Credentials?

To fix the issue of weak credentials, follow these steps:

  1. Remove Hard-Coded Credentials: Avoid using hard-coded credentials directly in the code. This makes the credentials easy to guess or extract by anyone with access to the source code.

  2. Use Secure Credential Storage: Store credentials securely using environment variables, configuration files, or a dedicated secrets management tool. These methods allow you to change credentials without altering the code.

  3. Implement Strong Password Policies: Ensure that passwords are strong by enforcing complexity requirements and using password hashing for storage. Never store plaintext passwords.

  4. Utilize Authentication Libraries: Use well-established authentication libraries that handle credential storage and verification securely, such as OAuth or OpenID Connect.

Fixed Code Example

import os
from hashlib import sha256

# Use environment variables to store credentials securely
ADMIN_USERNAME = os.getenv('ADMIN_USERNAME')
ADMIN_PASSWORD_HASH = os.getenv('ADMIN_PASSWORD_HASH')

def authenticate_user(username, password):
    # Hash the input password and compare it to the stored hash
    password_hash = sha256(password.encode()).hexdigest()
    if username == ADMIN_USERNAME and password_hash == ADMIN_PASSWORD_HASH:
        return True
    return False

# With this implementation, credentials are stored securely outside the code,
# and strong password hashing is used to prevent credential attacks.

Key Improvements:

  • Environment Variables: Store sensitive information like credentials in environment variables, which keeps them out of the source code and allows easy updates.
  • Password Hashing: Use secure hashing algorithms (such as SHA-256) to store password hashes instead of plaintext passwords, increasing security significantly.
  • Separation of Configuration and Code: By moving credentials to environment variables or configuration files, you enhance security and maintainability.

These changes ensure that the code example clearly demonstrates the vulnerability of using weak credentials and provides a robust solution that follows best security practices.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-1391: Use of Weak Credentials and get remediation guidance

Start for free and no credit card needed.