Information Leakage / Password Hash Disclosure

Description

Password hash disclosure is an information leakage vulnerability, which occurs when an application discloses the hashed form of a password, usually in plain text, making it easier for attackers to brute force guess the plain text password. Password hashes can be disclosed through web and API applications, infrastructure, and mobile apps. When a user’s password is stored as a hash, attackers can gain access to the plain text version of the password by “cracking” the hash, which can be done by comparing the hash value to a dictionary of known hashes. The OWASP Testing Guide provides guidance on how to test for this vulnerability.

Risk

Password hash disclosure can have serious consequences, as it makes it much easier for attackers to gain access to user accounts by cracking the hash. If an attacker is able to gain access to the password hashes, it can lead to data theft, unauthorized access to sensitive information, and other malicious activity.

Solution

The best way to protect against password hash disclosure is to always store passwords as hashes and use a strong hashing algorithm, such as BCrypt, SHA-256, or PBKDF2. It is also important to use a salt when hashing passwords to further protect against cracking. Additionally, administrators should use rate-limiting and other security measures to protect against brute-force attacks.