Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5344

Passwords should not be stored in plain-text or with a fast hashing algorithm

    XMLWordPrintable

    Details

    • Message:
      Use a secure password hashing algorithm.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#, C, C++, JavaScript, Kotlin, PHP, Python, TypeScript, VB.Net, VB6
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, APEX, Cobol, CSS, Flex, Go, HTML, Objective-C, PL/I, PL/SQL, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-328, CWE-327, CWE-916
    • OWASP:
      A2, A6, A3
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      WEAK_MESSAGE_DIGEST_MD5, WEAK_MESSAGE_DIGEST_SHA1
    • FxCop:
      CA5384

      Description

      A user password should never be stored in clear-text, instead a hash should be produced from it using a secure algorithm:

      • not vulnerable to brute force attacks.
      • not vulnerable to collision attacks (see rule s4790).
      • and a salt should be added to the password to lower the risk of rainbow table attacks (see rule s2053).

      This rule raises an issue when a password is stored in clear-text or with a hash algorithm vulnerable to bruce force attacks. These algorithms, like md5 or SHA-family functions are fast to compute the hash and therefore brute force attacks are possible (it's easier to exhaust the entire space of all possible passwords) especially with hardware like GPU, FPGA or ASIC. Modern password hashing algorithms such as bcrypt, PBKDF2 or argon2 are recommended.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-6167 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              alexandre.gigleux Alexandre Gigleux
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: