CWE-916 Details

CWE-916

Use of Password Hash With Insufficient Computational Effort
Incomplete
2013-02-21
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Allgemeine Informationen

Einführungsmodi

Architecture and Design : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity

Note: If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes.

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2008-1526

Router does not use a salt with a hash, making it easier to crack passwords.

CVE-2006-1058

Router does not use a salt with a hash, making it easier to crack passwords.

CVE-2008-4905

Blogging software uses a hard-coded salt when calculating a password hash.

CVE-2002-1657

Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.

CVE-2001-0967

Server uses a constant salt when encrypting passwords, simplifying brute force attacks.

CVE-2005-0408

chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.

Mögliche Gegenmaßnahmen

Phases : Architecture and Design
Phases : Implementation // Architecture and Design
When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

Erkennungsmethoden

Automated Static Analysis - Binary or Bytecode

Wirksamkeit : SOAR Partial

Manual Static Analysis - Binary or Bytecode

Wirksamkeit : SOAR Partial

Manual Static Analysis - Source Code

Wirksamkeit : High

Automated Static Analysis - Source Code

Wirksamkeit : High

Automated Static Analysis

Wirksamkeit : SOAR Partial

Architecture or Design Review

Wirksamkeit : High

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Verwandte Angriffsmuster

CAPEC-ID Name des Angriffsmusters
CAPEC-55 Rainbow Table Password Cracking
An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.

Referenzen

REF-291

bcrypt
Johnny Shelley.
https://bcrypt.sourceforge.net/

REF-292

Tarsnap - The scrypt key derivation function and encryption utility
Colin Percival.
http://www.tarsnap.com/scrypt.html

REF-293

RFC2898 - PKCS #5: Password-Based Cryptography Specification Version 2.0
B. Kaliski.
https://www.rfc-editor.org/rfc/rfc2898

REF-294

How To Safely Store A Password
Coda Hale.
https://codahale.com/how-to-safely-store-a-password/

REF-295

How Companies Can Beef Up Password Security (interview with Thomas H. Ptacek)
Brian Krebs.
https://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/

REF-296

Password security: past, present, future
Solar Designer.
https://www.openwall.com/presentations/PHDays2012-Password-Security/

REF-297

Our password hashing has no clothes
Troy Hunt.
https://www.troyhunt.com/our-password-hashing-has-no-clothes/

REF-298

Should we really use bcrypt/scrypt?
Joshbw.
https://web.archive.org/web/20120629144851/http://www.analyticalengine.net/2012/06/should-we-really-use-bcryptscrypt/

REF-636

Speed Hashing
Jeff Atwood.
https://blog.codinghorror.com/speed-hashing/

REF-631

Password Storage Cheat Sheet
OWASP.
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

REF-632

Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes
Thomas Ptacek.
http://hashphp.org/hashing.html

REF-908

Password hashing at scale
Solar Designer.
https://www.openwall.com/presentations/YaC2012-Password-Hashing-At-Scale/

REF-909

New developments in password hashing: ROM-port-hard functions
Solar Designer.
https://www.openwall.com/presentations/ZeroNights2012-New-In-Password-Hashing/

REF-633

The Importance of Being Canonical
Robert Graham.
https://blog.erratasec.com/2009/02/importance-of-being-canonical.html#.ZCbyY7LMJPY

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
CWE Content Team MITRE 2013-01-28 +00:00 2013-02-21 +00:00 2.4

Änderungen

Name Organisation Datum Kommentar
CWE Content Team MITRE 2014-02-18 +00:00 updated Potential_Mitigations, References
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2019-01-03 +00:00 updated Description
CWE Content Team MITRE 2019-06-20 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships
CWE Content Team MITRE 2024-02-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.