以明文形式存儲密碼或者采用弱加密算法可能會危及系統安全。
ASP.NET 應用程序能夠在 web.config 文件的 <credentials> 元素中為某個 ASP.NET 應用程序存儲多個用戶名和密碼對,這個用戶名和密碼對支持明文、MD5 和 SHA1 等密碼格式。
以明文形式存儲的密碼或者采用弱加密算法的密碼對任何有權訪問應用程序配置文件的人來說是開放的。這可能包括應用程序所駐留在的計算機或者存放應用程序的源代碼庫。
例 1:下面的 web.config 條目錯誤地采用明文形式存儲密碼。
<configuration>
<system.web>
<authentication>
<forms protection="All">
<credentials passwordFormat="Clear">
<user name="user1" password="my_password"/>
<user name="user2" password="my_password1"/>
</credentials>
</forms>
</authentication>
</system.web>
</configuration>
configuration/system.web/authentication/forms/credentials 元素的 passwordFormat 屬性所指定。這個屬性的可能值如下:Clear — 表示密碼以明文形式存儲(最不安全)MD5 — 表示密碼的 MD5 散列值會被存儲起來 SHA1 — 表示密碼的 SHA1 散列值會被存儲起來(最安全)[1] .NET Framework General Reference:credentials Element Microsoft Corporation
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage
[4] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A8 Insecure Storage
[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3210.1 CAT II, APP3340 CAT I
[6] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3210.1 CAT II, APP3340 CAT I
[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 260
[8] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[9] Standards Mapping - FIPS200 - (FISMA) MP
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.4, Requirement 6.5.3, Requirement 8.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.4, Requirement 6.5.8, Requirement 8.4