.cfg and .ini files

When scrutinizing new applications, or conducting a security audit of the programs on a PC, search for passwords stored in configuration files. Configuration files commonly use the file extensions - .ini and .cfg. Their purpose is to store the initial settings for applications. Programmers often make the mistake of using them to store passwords, which causes a cyber security vulnerability.

A configuration file used with a Java web based application may contain lines like these:

webapp.ldap.username=secretUsername webapp.ldap.password=secretPassword

If passwords are part of a configuration file they should be encrypted.