CWE-256 Plaintext Storage of a Password
Coverage: 26 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 26 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged a password being stored or handled without proper one-way password hashing (plaintext storage, reversible "encryption," or weak hashing).
Why it matters
If a database or log is leaked, plaintext passwords are immediately usable.
- Immediate account takeover if passwords are plaintext or reversible.
- Credential stuffing across other services because users reuse passwords.
- This is one of the clearest "high severity" auth failures.
Safer examples
1) Hash passwords with Argon2id/scrypt/bcrypt
from argon2 import PasswordHasher
ph = PasswordHasher()
stored_hash = ph.hash(password)
2) Verify using the hashing library (constant time)
ph.verify(stored_hash, password_attempt)
3) Never "decrypt passwords"
Passwords are verified, not decrypted. If you need a recoverable secret, store a separate secret with separate protection.
How SiteShadow detects it (high level)
- Flags password-like variables being persisted directly or passed through reversible transforms.
- Recognizes weak password handling patterns (base64/encoding, fast hashes in password contexts).
References
- CWE-256: https://cwe.mitre.org/data/definitions/256.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.