# Use of Password Hash With Insufficient Computational Effort (CWE-916)

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

- Prevalence: Alta Frecuentemente explotada
- Impact: Alto 2 reglas de severidad alta
- Prevention: Documentada 2 ejemplos de corrección

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

Fast hashing algorithms like MD5, SHA-1, or even SHA-256 are unsuitable for password hashing because they can be computed quickly, enabling rapid brute-force attacks. Purpose-built password hashing algorithms like bcrypt, scrypt, or Argon2 are designed to be slow.

## Prevention

Estrategias de prevención para Insufficient Password Hash basadas en 2 reglas de detección de Shoulder.

### JavaScript

Use bcrypt or argon2 for password hashing instead of MD5/SHA1/SHA256

### Python

Use bcrypt, argon2, or PBKDF2 instead of MD5/SHA for password hashing

## Warning Signs

- [HIGH] password hashing using weak algorithms (MD5, SHA1, plain SHA256) without proper salt or iteration, m
- [HIGH] use of weak password hashing algorithms like MD5 or SHA-1 instead of bcrypt, argon2, or PBKDF2

## Consequences

- Obtener privilegios
- Eludir mecanismo de protección

## Mitigations

- Usa bcrypt, scrypt o Argon2 para el hashing de contraseñas
- Usa factores de trabajo apropiados que hagan que el hashing sea lento
- Aplica salt a las contraseñas antes de aplicar hash

## Detection

- Total rules: 2
- Languages: javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Weak Password Storage** [HIGH]: Detects password hashing using weak algorithms (MD5, SHA1, plain SHA256) without proper salt or iteration, making passwords vulnerable to rainbow table and brute force attacks.
  - Remediation: Use bcrypt or argon2 for password hashing instead of MD5/SHA1/SHA256.

```javascript
const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-916/weak-password-storage

### Typescript (1 rules)

- **Weak Password Storage** [HIGH]: Detects password hashing using weak algorithms (MD5, SHA1, plain SHA256) without proper salt or iteration, making passwords vulnerable to rainbow table and brute force attacks.
  - Remediation: Use bcrypt or argon2 for password hashing instead of MD5/SHA1/SHA256.

```javascript
const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-916/weak-password-storage

### Python (1 rules)

- **Weak Password Hashing Algorithm** [HIGH]: Detects use of weak password hashing algorithms like MD5 or SHA-1 instead of bcrypt, argon2, or PBKDF2.
  - Remediation: Use bcrypt, argon2, or PBKDF2 for password hashing.

```python
import bcrypt
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
```

Learn more: https://shoulder.dev/learn/python/cwe-916/weak-password-hashing