How to handle Veracode error for MVC's Model's property for a password field?

Question

I have a model for login logic. It contains a property called Password:

[Required(ErrorMessage = " ")]
[DataType(DataType.Password)]
public string Password { get; set; }

When Veracode scans the model it produces the following error:

CWE-316: Cleartext Storage of Sensitive Information in Memory

My view is generating the Password field as follows:

@Html.EditorFor(x => x.Password}

Then, along the line in the model, I'm using the following Windows Authentication logic to check if the user is a windows user:

DirectoryEntry de = new DirectoryEntry("LDAP://" + System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName, username, password, AuthenticationTypes.Secure);

The above class' constructor requires password as a string.

What would be the best solution that could fix the Veracode problem and allows me to use the logic I already have?

score 0 · Answer 1 · answered Jun 28 '22 at 19:20

0

The solution was an easy one. I just have to change the declaration Password to UserIdnt.

Now Veracode doesn't recognize it as a security threat and let it go

answered Jun 28 '22 at 19:20

gene

2,098
7
40
98

How to handle Veracode error for MVC's Model's property for a password field?

1 Answers1