Cryptography / Password Hash with Insufficient Computational Effort
Password Hash with Insufficient Computational Effort (CWE-521) is a Cryptography vulnerability related to the use of weak password hashing algorithms. This type of vulnerability occurs in Mobile Apps, Infrastructure, Web and API. It happens when an application does not use a strong enough hashing algorithm for passwords, which can be cracked with brute-force attacks or dictionary attacks. Reference CWE-521 and OWASP Testing Guide.
The risk associated with this vulnerability is that attackers can use brute force or dictionary attacks to crack the hashes. This could lead to the unauthorized access of accounts or data.
The best way to protect against this vulnerability is to use a strong hashing algorithm such as bcrypt or PBKDF2. It is also important to salt the hashes to make them harder to crack.
// Use the bcrypt algorithm $passwordHash = crypt($password, '$2a$10$'.$salt);
This example uses the bcrypt algorithm to generate a password hash with a 10-character salt.