Detalle CWE-916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Modos de introducción

Architecture and Design : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Consecuencias comunes

Ejemplos observados

Mitigaciones potenciales

Phases : Architecture and Design
Phases : Implementation // Architecture and Design
When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

Métodos de detección

Automated Static Analysis - Binary or Bytecode

Efectividad : SOAR Partial

Manual Static Analysis - Binary or Bytecode

Efectividad : SOAR Partial

Manual Static Analysis - Source Code

Efectividad : High

Automated Static Analysis - Source Code

Efectividad : High

Automated Static Analysis

Efectividad : SOAR Partial

Architecture or Design Review

Efectividad : High

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Patrones de ataque relacionados

Referencias

REF-291

bcrypt
Johnny Shelley.
https://bcrypt.sourceforge.net/

REF-292

Tarsnap - The scrypt key derivation function and encryption utility
Colin Percival.
http://www.tarsnap.com/scrypt.html

REF-293

RFC2898 - PKCS #5: Password-Based Cryptography Specification Version 2.0
B. Kaliski.
https://www.rfc-editor.org/rfc/rfc2898

REF-294

How To Safely Store A Password
Coda Hale.
https://codahale.com/how-to-safely-store-a-password/

REF-295

How Companies Can Beef Up Password Security (interview with Thomas H. Ptacek)
Brian Krebs.
https://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/

REF-296

Password security: past, present, future
Solar Designer.
https://www.openwall.com/presentations/PHDays2012-Password-Security/

REF-297

Our password hashing has no clothes
Troy Hunt.
https://www.troyhunt.com/our-password-hashing-has-no-clothes/

REF-298

Should we really use bcrypt/scrypt?
Joshbw.
https://web.archive.org/web/20120629144851/http://www.analyticalengine.net/2012/06/should-we-really-use-bcryptscrypt/

REF-636

Speed Hashing
Jeff Atwood.
https://blog.codinghorror.com/speed-hashing/

REF-631

Password Storage Cheat Sheet
OWASP.
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

REF-632

Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes
Thomas Ptacek.
http://hashphp.org/hashing.html

REF-908

Password hashing at scale
Solar Designer.
https://www.openwall.com/presentations/YaC2012-Password-Hashing-At-Scale/

REF-909

New developments in password hashing: ROM-port-hard functions
Solar Designer.
https://www.openwall.com/presentations/ZeroNights2012-New-In-Password-Hashing/

REF-633

The Importance of Being Canonical
Robert Graham.
https://blog.erratasec.com/2009/02/importance-of-being-canonical.html#.ZCbyY7LMJPY

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Envío

Modificaciones