# Use of Password Hash With Insufficient Computational Effort (CWE-916)

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

- Prevalence: Wysoka Często wykorzystywana
- Impact: Wysoki 2 reguł o wysokim poziomie
- Prevention: Udokumentowane 2 przykładów poprawek

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

Fast hashing algorithms like MD5, SHA-1, or even SHA-256 are unsuitable for password hashing because they can be computed quickly, enabling rapid brute-force attacks. Purpose-built password hashing algorithms like bcrypt, scrypt, or Argon2 are designed to be slow.

## Prevention

Strategie zapobiegania dla Insufficient Password Hash oparte na 2 regułach detekcji Shoulder.

### JavaScript

Use bcrypt or argon2 for password hashing instead of MD5/SHA1/SHA256

### Python

Use bcrypt, argon2, or PBKDF2 instead of MD5/SHA for password hashing

## Warning Signs

- [HIGH] password hashing using weak algorithms (MD5, SHA1, plain SHA256) without proper salt or iteration, m
- [HIGH] use of weak password hashing algorithms like MD5 or SHA-1 instead of bcrypt, argon2, or PBKDF2

## Consequences

- Uzyskanie uprawnień
- Obejście mechanizmu ochrony

## Mitigations

- Do haszowania haseł stosuj bcrypt, scrypt lub Argon2
- Stosuj odpowiednie work factors, by haszowanie było wolne
- Soluj hasła przed haszowaniem

## Detection

- Total rules: 2
- Languages: javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Weak Password Storage** [HIGH]: Detects password hashing using weak algorithms (MD5, SHA1, plain SHA256) without proper salt or iteration, making passwords vulnerable to rainbow table and brute force attacks.
  - Remediation: Use bcrypt or argon2 for password hashing instead of MD5/SHA1/SHA256.

```javascript
const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-916/weak-password-storage

### Typescript (1 rules)

- **Weak Password Storage** [HIGH]: Detects password hashing using weak algorithms (MD5, SHA1, plain SHA256) without proper salt or iteration, making passwords vulnerable to rainbow table and brute force attacks.
  - Remediation: Use bcrypt or argon2 for password hashing instead of MD5/SHA1/SHA256.

```javascript
const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-916/weak-password-storage

### Python (1 rules)

- **Weak Password Hashing Algorithm** [HIGH]: Detects use of weak password hashing algorithms like MD5 or SHA-1 instead of bcrypt, argon2, or PBKDF2.
  - Remediation: Use bcrypt, argon2, or PBKDF2 for password hashing.

```python
import bcrypt
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
```

Learn more: https://shoulder.dev/learn/python/cwe-916/weak-password-hashing