Usage of weak encryption algorithm on a password (DES)

Overview

• Rule ID: javascript_lang_weak_password_encryption_des

• Applicable Languages: Javascript

• Weakness ID: CWE-326

Description

The Data Encryption Standard (DES) is known for its weaknesses and should not be used for password security. Since encryption is reversible, it can allow retrieval of the original password, making it unsuitable for password storage. Instead, passwords should be hashed, an irreversible process that converts them into a fixed-size string of characters.

Remediation Guidelines

• Avoid using DES or any encryption method for password storage. The reversible nature of encryption creates a security risk by potentially enabling the retrieval of the original password.

• Use a robust hashing algorithm such as Argon2id for password storage. Hashing is a one-way process, preventing the reversal and retrieval of the original password.

  Copy

  const argon2 = require("argon2");
  
  const hash = await argon2.hash(req.params.password, { type: argon2.argon2id })
  

References

• OWASP Password Storage Cheat Sheet

• CWE-326: Inadequate Encryption Strength

• OWASP Top 10: A02:2021 - Cryptographic Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL