Database password field is empty JAVA-S0014
Security
Critical
The password field for this database connection is empty.
This code creates a database connection using a blank or empty password. This indicates that the database is not protected by a password. Because the only information required to access such a database is its address, any information stored in it is safe only due to the obscurity of the database's address.
Examples
Bad Practice
Connection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "AppLogin", "");
Reliance on security by obscurity is heavily discouraged as it provides a convenient way for malicious actors to gain control of private data.
Recommended
String secretPassword = ...;
Connection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "AppLogin", secretPassword);
References
- OWASP Top Ten Category A2 (2017)
- CWE-521: Weak password requirements
- Spotbugs - DMI_EMPTY_DB_PASSWORD