Usage of weak hashing library on a password (MD5)

Overview

• Rule ID: javascript_lang_weak_password_hash_md5

• Applicable Languages: Javascript

• Weakness ID: CWE-326

Description

Using a weak hashing library such as MD5 for password storage undermines security. MD5 is outdated and vulnerable, increasing the likelihood of attackers successfully cracking passwords and gaining unauthorized access.

Remediation Guidelines

• Avoid using MD5 for hashing passwords or sensitive data, as it is no longer deemed secure.

• Use a robust and recommended hashing library, such as Argon2id, for password hashing. This approach improves security by significantly increasing the difficulty for attackers to crack stored passwords.

  Copy

  const argon2 = require("argon2");
  const hash = await argon2.hash(req.params.password, { type: argon2.argon2id })

References

• OWASP Password Storage Cheat Sheet

• CWE-326: Inadequate Encryption Strength

• OWASP Top 10: A02:2021 - Cryptographic Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL