CWE-759: Use of a One-Way Hash without a Salt
Description
The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
Submission Date :
March 3, 2009, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables.
It should be noted that, despite common perceptions, the use of a good salt with a hash does not sufficiently increase the effort for an attacker who is targeting an individual password, or who has a large amount of computing resources available, such as with cloud-based services or specialized, inexpensive hardware. Offline password cracking can still be effective if the hash function is not expensive to compute; many cryptographic functions are designed to be efficient and can be vulnerable to attacks using massive computing resources, even if the hash is cryptographically strong. The use of a salt only slightly increases the computing requirements for an attacker compared to other strategies such as adaptive hash functions. See CWE-916 for more details.
Example - 1
In both of these examples, a user is logged in if their given password matches a stored password: This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759).
// //Login if hash matches stored hash//
login_user();ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... );if (equal(ctext, secret_password())) {}unsigned char *check_passwd(char *plaintext) {}
// //Login if hash matches stored hash//
login_user();String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest();if (equal(digest,secret_password())) {}
Example - 2
In this example, a new user provides a new username and password to create an account. The program hashes the new user's password then stores it in a database.
// # UpdateUserLogin returns True on success, False otherwise//
hasher = hashlib.new('md5')hasher.update(Password)hashedPassword = hasher.digest()return updateUserLogin(userName,hashedPassword)def storePassword(userName,Password):
While it is good to avoid storing a cleartext password, the program does not provide a salt to the hashing function, thus increasing the chances of an attacker being able to reverse the hash and discover the original password if the database is compromised.
Fixing this is as simple as providing a salt to the hashing function on initialization:
// # UpdateUserLogin returns True on success, False otherwise//
hasher = hashlib.new('md5',b'SaltGoesHere')hasher.update(Password)hashedPassword = hasher.digest()return updateUserLogin(userName,hashedPassword)def storePassword(userName,Password):
Note that regardless of the usage of a salt, the md5 hash is no longer considered secure, so this example still exhibits CWE-327.
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.