Use of a One-Way Hash with a Predictable Salt
Weakness ID: 760 (Weakness Class)Status: Incomplete
+ Description

Description Summary

The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input.

Extended Description

This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.

+ Observed Examples
ReferenceDescription
CVE-2002-1657Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.
CVE-2001-0967Server uses a constant salt when encrypting passwords, simplifying brute force attacks.
CVE-2005-0408chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
+ Background Details

In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base327Use of a Broken or Risky Cryptographic Algorithm
Research Concepts (primary)1000
+ References
Robert Graham. "The Importance of Being Canonical". 2009-02-02. <http://erratasec.blogspot.com/2009/02/importance-of-being-canonical.html>.
Thomas Ptacek. "Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes". 2007-09-10. <http://www.matasano.com/log/958/>.
James McGlinn. "Password Hashing". <http://phpsec.org/articles/2005/password-hashing.html>.
Jeff Atwood. "Rainbow Hash Cracking". 2007-09-08. <http://www.codinghorror.com/blog/archives/000949.html>.
"Rainbow table". Wikipedia. 2009-03-03. <http://en.wikipedia.org/wiki/Rainbow_table>.
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 9, "Creating a Salted Hash" Page 302. 2nd Edition. Microsoft. 2002.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-03-03Internal CWE Team
Modifications
Modification DateModifierOrganizationSource
2009-10-29CWE Content TeamMITREInternal
updated Observed Examples, Relationships
Back to top