CWE-256 Base Incomplete High likelihood

Plaintext Storage of a Password

This vulnerability occurs when an application stores user passwords as readable text instead of using secure, one-way hashing. This insecure practice exposes credentials in memory, files, or…

Definition

What is CWE-256?

This vulnerability occurs when an application stores user passwords as readable text instead of using secure, one-way hashing. This insecure practice exposes credentials in memory, files, or databases where attackers can easily retrieve them.
Storing passwords in plaintext is a critical security failure because it completely bypasses the fundamental purpose of password protection. If an attacker gains access to the storage—through a database breach, a leaked file, or a memory dump—they immediately obtain all user credentials. This often leads to account takeover, data theft, and lateral movement across systems, as users frequently reuse passwords. To prevent this, developers must never store the actual password. Instead, always use a strong, adaptive cryptographic hash function (like Argon2, scrypt, or bcrypt) with a unique salt for each password. This transforms the password into a fixed-length, irreversible string. Even if the hash is exposed, the original password remains computationally infeasible to recover, significantly limiting the damage of a data breach.
Vulnerability Diagram CWE-256
Plaintext Storage of Password User signs up pw="hunter2" users table name | password alice | hunter2 bob | letmein eve | qwerty DB dump → all passwords credential stuffing Passwords must be salted+hashed (bcrypt/argon2), never stored plain.
Real-world impact

Real-world CVEs caused by CWE-256

  • CVE-2022-30275

    Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.

How attackers exploit it

Step-by-step attacker path

  1. 1

    The following code reads a password from a properties file and uses the password to connect to a database.

  2. 2

    This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system.

  3. 3

    The following code reads a password from the registry and uses the password to create a new network credential.

  4. 4

    This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system

  5. 5

    The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.

Vulnerable code example

Vulnerable Java

The following code reads a password from a properties file and uses the password to connect to a database.

Vulnerable Java 
...
  Properties prop = new Properties();
  prop.load(new FileInputStream("config.properties"));
  String password = prop.getProperty("password");
  DriverManager.getConnection(url, usr, password);
  ...
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-256

  • Architecture and Design Avoid storing passwords in easily accessible locations.
  • Architecture and Design Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
  • A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
Detection signals

How to detect CWE-256

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-256 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-256?

This vulnerability occurs when an application stores user passwords as readable text instead of using secure, one-way hashing. This insecure practice exposes credentials in memory, files, or databases where attackers can easily retrieve them.

How serious is CWE-256?

MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.

What languages or platforms are affected by CWE-256?

MITRE lists the following affected platforms: ICS/OT.

How can I prevent CWE-256?

Avoid storing passwords in easily accessible locations. Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

How does Plexicus detect and fix CWE-256?

Plexicus's SAST engine matches the data-flow signature for CWE-256 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-256?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/256.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-256

CWE-522 Parent

Insufficiently Protected Credentials

This vulnerability occurs when an application handles sensitive credentials like passwords or API keys in an insecure way, making them…

CWE-257 Sibling

Storing Passwords in a Recoverable Format

This vulnerability occurs when an application stores user passwords in a format that can be easily reversed or decrypted back to their…

CWE-260 Sibling

Password in Configuration File

This vulnerability occurs when an application stores sensitive passwords directly within a configuration file, making them easily readable…

CWE-261 Sibling

Weak Encoding for Password

Using simple encoding like Base64 to hide a password provides no real security, as it can be easily reversed.

CWE-523 Sibling

Unprotected Transport of Credentials

This vulnerability occurs when a login page or authentication system transmits user credentials (like usernames and passwords) over a…

CWE-549 Sibling

Missing Password Field Masking

This vulnerability occurs when an application fails to hide password characters as they are typed, making them visible to anyone who can…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo