Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2053

Hashes should include an unpredictable salt

    XMLWordPrintable

    Details

    • Message:
      Hide
      * Add an unpredictable salt value to this hash.
      * Make this salt unpredictable.
      * Make this salt at least 16 bytes.
      Show
      * Add an unpredictable salt value to this hash. * Make this salt unpredictable. * Make this salt at least 16 bytes.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, VB.Net
    • Covered Languages:
      C#, Java, PHP, Python
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CWE:
      CWE-759, CWE-760
    • OWASP:
      A3
    • SANS Top 25:
      Porous Defenses
    • Fortify:
      weak_cryptographic_hash_predictable_salt

      Description

      In cryptography, a "salt" is an extra piece of data which is included when hashing a password. This makes rainbow-table attacks more difficult. Using a cryptographic hash function without an unpredictable salt increases the likelihood that an attacker could successfully find the hash value in databases of precomputed hashes (called rainbow-tables).

      This rule raises an issue when a hashing function which has been specifically designed for hashing passwords, such as PBKDF2, is used with a non-random, reused or too short salt value. It does not raise an issue on base hashing algorithms such as sha1 or md5 as they should not be used to hash passwords.

      Recommended Secure Coding Practices

      • Use hashing functions generating their own secure salt or generate a secure random value of at least 16 bytes.
      • The salt should be unique by user password.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-2054 Language-Specification Active Unassigned
          2.
          PHP RSPEC-4714 Language-Specification Active Unassigned
          3.
          Python RSPEC-5611 Language-Specification Active Unassigned
          4.
          C# RSPEC-6057 Language-Specification Active Unassigned
          5.
          VB.NET RSPEC-6066 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: