Password found in server response
Description
The application returns a password in cleartext within an HTTP response, even though the password was not submitted in the corresponding request. This indicates that the password is being stored insecurely on the server or a connected backend system, rather than being properly hashed or encrypted. Cleartext password storage violates fundamental security principles and exposes user credentials to unauthorized access.
Remediation
Immediately stop storing passwords in cleartext or reversibly encrypted formats. Implement the following secure password storage practices:
1. Use a strong, adaptive hashing algorithm specifically designed for password storage, such as bcrypt, scrypt, Argon2, or PBKDF2
2. Generate a unique, cryptographically random salt for each password before hashing
3. Configure appropriate work factors (cost parameters) to make brute-force attacks computationally expensive
4. Never return passwords in API responses or display them in user interfaces
5. Implement password verification by comparing hashes, not by retrieving stored passwords
Example using bcrypt (Node.js):
const bcrypt = require('bcrypt');
const saltRounds = 12;
// Storing a password
const hashedPassword = await bcrypt.hash(plainTextPassword, saltRounds);
// Save hashedPassword to database
// Verifying a password
const isValid = await bcrypt.compare(submittedPassword, storedHashedPassword);Audit all systems that currently store or transmit passwords to ensure they follow these practices. Consider implementing a password reset process for affected users if credentials have been exposed.