Storing Passwords in a Recoverable Format

From Guidance Share

Jump to: navigation, search



The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. If a system administrator can recover the password directly -- or use a brute force search on the information available to him --, he can use the password on other accounts.

Applies To

  • Languages: All
  • Operating platforms: All



  • Confidentiality: User’s passwords may be revealed.
  • Authentication: Revealed passwords may be reused elsewhere to impersonate the users in question.


  • Failure to encrypt passwords on disk, in memory, or in source code


  • Design / Implementation: Ensure that strong, non-reversible encryption is used to protect stored passwords. This mechanism should be used both on disk and when the password is stored in memory.

Vulnerability Patterns

How Tos

Personal tools