...
Applications such as password managers may need to retrieve the original password in order to enter it into a third-party application. This is permitted even though it violates the guideline. The password manager is accessed by a single user and always has the user's permission to store his or her passwords and to display those passwords on command. Consequently, the limit to safety and security is the user's competence rather than the program's operation.
Related Guidelines
Insufficiently Protected Credentials [XYM] | |
CWE-256, Plaintext storage of a password |
Bibliography
| [API 2011] | Class MessageDigestClass String |
| [Hirondelle 2013] | Passwords Never Clear in Text |
| [OWASP 2012] | "Why Add Salt?" |
| [Paar 2009] | Chapter 11, "Hash Functions" |
...