# Weak Password Storage

- ID: javascript-weak-password-storage
- Severity: HIGH
- CWE: CWE-916 (CWE-916)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nextjs, nodejs

## Description

Detects password hashing using weak algorithms (MD5, SHA1, plain SHA256) without proper salt or iteration, making passwords vulnerable to rainbow table and brute force attacks.

## Remediation

Use bcrypt or argon2 for password hashing instead of MD5/SHA1/SHA256.

```javascript
const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-916/weak-password-storage

## Documentation

[object Object]

## Related Rules

- **Weak Password Hashing Algorithm** [HIGH]: