CWE-258: Empty Password in Configuration File

VariantIncompleteExploit Likelihood: High

Using an empty string as a password is insecure.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-258: Empty Password in Configuration File?+

CWE-258: Empty Password in Configuration File is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Using an empty string as a password is insecure.

What are the security consequences of Empty Password in Configuration File?+

If exploited, CWE-258 (Empty Password in Configuration File) it can compromise Access Control, leading to outcomes such as Gain Privileges or Assume Identity.

How do you prevent or mitigate Empty Password in Configuration File?+

Recommended mitigations for CWE-258 include: Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.

Which programming languages are affected by Empty Password in Configuration File?+

CWE-258 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Empty Password in Configuration File?+

MITRE documents real CVEs mapped to CWE-258, including CVE-2022-26117. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-258 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More