VariantIncomplete

CWE-258Empty Password in Configuration File

Category: auth

Description

Using an empty string as a password is insecure.

Common consequences· 1

  • Access Control — Gain Privileges or Assume Identity

Potential mitigations· 1

  • [System Configuration]Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.

References

  1. https://cwe.mitre.org/data/definitions/258.html

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2025-9276cve-2025-92760%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Password in Configuration File
CWE
ASP.NET Misconfiguration: Password in Configuration File
CWE
J2EE Misconfiguration: Plaintext Password in Configuration File
CWE
Use of Default Password
CWE
Plaintext Storage of a Password
CWE
Use of Default Credentials
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.