...
In order to comply with guideline MSC18MSC05-J Store passwords using a hash function, the passwords would have to be encrypted. Unfortunately, on many small systems, they are not, and so the password text added in the query string would match precisely what the user enters. An attacker could supply a password such as:
...
In this noncompliant code example, a user name and password is read from the user and used to construct the query string. The password is passed as a char array, and then hashed, all to comply with MSC18MSC05-J Store passwords using a hash function and MSC10-J. Limit the lifetime of sensitive data.
...