CWE•Variant•Incomplete•4 recent CVEs
CWE-759Use of a One-Way Hash without a Salt
Description
The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
[object Object]
Common consequences
- Access Control→Bypass Protection Mechanism,Gain Privileges or Assume IdentityIf an attacker can gain access to the hashes, then the lack of a salt makes it easier to conduct brute force attacks using techniques such as rainbow tables.
Potential mitigations
- Architecture and Design[object Object]
- Architecture and DesignIf a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password.
- Implementation,Architecture and DesignWhen using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.