Hash with Predictable Salt

In cryptography, salt refers to some random addition of data to an input before hashing. Without unique hashing salts adversaries can pre-compute the hash value using dictionary attack techniques such as rainbow tables.

Remediation

Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required (e.g. bcrypt).

Metadata

Severity: low
Slug: hash-with-predictable-salt

CWEs

759: Use of a One-Way Hash without a Salt
1240: Use of a Cryptographic Primitive with a Risky Implementation
760: Use of a One-Way Hash with a Predictable Salt

OWASP

A9:2017: Using Components with Known Vulnerabilities

Available Labs

Open Python labs in SecDim Play for this vulnerability.

medium

Bad password.py

Python Medium Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.