CWE-760Use of a One-Way Hash with a Predictable Salt

Description

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

[object Object]

Common consequences

• Access Control→Bypass Protection Mechanism

Potential mitigations

• Architecture and Design
  [object Object]
• Implementation
  If a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password.

Related CWEs

Recent CVEs classified under this CWE