CWE-916 Detail

CWE-916

Use of Password Hash With Insufficient Computational Effort
Incomplete
2013-02-21
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifiche per un CWE specifico
Rimani informato su qualsiasi modifica relativa a un CWE specifico.
Gestione notifiche

Nome: Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

General Informations

Modes Of Introduction

Architecture and Design : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Piattaforme applicabili

Linguaggio

Class: Not Language-Specific (Undetermined)

Conseguenze comuni

Ambito Impatto Probabilità
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity

Note: If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes.

Esempi osservati

Riferimenti Descrizione

CVE-2008-1526

Router does not use a salt with a hash, making it easier to crack passwords.

CVE-2006-1058

Router does not use a salt with a hash, making it easier to crack passwords.

CVE-2008-4905

Blogging software uses a hard-coded salt when calculating a password hash.

CVE-2002-1657

Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.

CVE-2001-0967

Server uses a constant salt when encrypting passwords, simplifying brute force attacks.

CVE-2005-0408

chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.

Potential Mitigations

Phases : Architecture and Design
Phases : Implementation // Architecture and Design
When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

Detection Methods

Automated Static Analysis - Binary or Bytecode

Effectiveness : SOAR Partial

Manual Static Analysis - Binary or Bytecode

Effectiveness : SOAR Partial

Manual Static Analysis - Source Code

Effectiveness : High

Automated Static Analysis - Source Code

Effectiveness : High

Automated Static Analysis

Effectiveness : SOAR Partial

Architecture or Design Review

Effectiveness : High

Note sulla mappatura delle vulnerabilità

Giustificazione : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commento : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Pattern di attacco correlati

CAPEC-ID Nome del pattern di attacco
CAPEC-55 Rainbow Table Password Cracking
An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.

Riferimenti

REF-291

bcrypt
Johnny Shelley.
https://bcrypt.sourceforge.net/

REF-292

Tarsnap - The scrypt key derivation function and encryption utility
Colin Percival.
http://www.tarsnap.com/scrypt.html

REF-293

RFC2898 - PKCS #5: Password-Based Cryptography Specification Version 2.0
B. Kaliski.
https://www.rfc-editor.org/rfc/rfc2898

REF-294

How To Safely Store A Password
Coda Hale.
https://codahale.com/how-to-safely-store-a-password/

REF-295

How Companies Can Beef Up Password Security (interview with Thomas H. Ptacek)
Brian Krebs.
https://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/

REF-296

Password security: past, present, future
Solar Designer.
https://www.openwall.com/presentations/PHDays2012-Password-Security/

REF-297

Our password hashing has no clothes
Troy Hunt.
https://www.troyhunt.com/our-password-hashing-has-no-clothes/

REF-298

Should we really use bcrypt/scrypt?
Joshbw.
https://web.archive.org/web/20120629144851/http://www.analyticalengine.net/2012/06/should-we-really-use-bcryptscrypt/

REF-636

Speed Hashing
Jeff Atwood.
https://blog.codinghorror.com/speed-hashing/

REF-631

Password Storage Cheat Sheet
OWASP.
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

REF-632

Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes
Thomas Ptacek.
http://hashphp.org/hashing.html

REF-908

Password hashing at scale
Solar Designer.
https://www.openwall.com/presentations/YaC2012-Password-Hashing-At-Scale/

REF-909

New developments in password hashing: ROM-port-hard functions
Solar Designer.
https://www.openwall.com/presentations/ZeroNights2012-New-In-Password-Hashing/

REF-633

The Importance of Being Canonical
Robert Graham.
https://blog.erratasec.com/2009/02/importance-of-being-canonical.html#.ZCbyY7LMJPY

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Invio

Nome Organizzazione Data Data di rilascio Version
CWE Content Team MITRE 2013-01-28 +00:00 2013-02-21 +00:00 2.4

Modifiche

Nome Organizzazione Data Commento
CWE Content Team MITRE 2014-02-18 +00:00 updated Potential_Mitigations, References
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2019-01-03 +00:00 updated Description
CWE Content Team MITRE 2019-06-20 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships
CWE Content Team MITRE 2024-02-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships
Le informazioni presentate su CVE Find provengono da diverse fonti di riferimento attentamente selezionate. I dati CVE sono forniti da MITRE Corporation e dal National Vulnerability Database (NVD). Il catalogo delle vulnerabilità sfruttate conosciute (KEV) proviene dalla Cybersecurity and Infrastructure Security Agency (CISA), mentre i punteggi EPSS provengono da FIRST.org. Inoltre, i dati relativi alle vulnerabilità software (CWE) e ai pattern di attacco comuni (CAPEC) sono mantenuti da MITRE Corporation, e le informazioni sulle configurazioni hardware e software (CPE) sono fornite da NVD.