Use of a One-Way Hash without a Salt
Weakness ID: 759 (Weakness Class)Status: Incomplete
+ Description

Description Summary

The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input.

Extended Description

This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables.

+ Observed Examples
ReferenceDescription
CVE-2008-1526Router does not use a salt with a hash, making it easier to crack passwords.
CVE-2008-4905Blogging software uses a hard-coded salt when calculating a password hash.
CVE-2006-1058Router does not use a salt with a hash, making it easier to crack passwords.
+ Background Details

In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base327Use of a Broken or Risky Cryptographic Algorithm
Research Concepts (primary)1000
+ References
Robert Graham. "The Importance of Being Canonical". 2009-02-02. <http://erratasec.blogspot.com/2009/02/importance-of-being-canonical.html>.
Thomas Ptacek. "Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes". 2007-09-10. <http://www.matasano.com/log/958/>.
James McGlinn. "Password Hashing". <http://phpsec.org/articles/2005/password-hashing.html>.
Jeff Atwood. "Rainbow Hash Cracking". 2007-09-08. <http://www.codinghorror.com/blog/archives/000949.html>.
"Rainbow table". Wikipedia. 2009-03-03. <http://en.wikipedia.org/wiki/Rainbow_table>.
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 9, "Creating a Salted Hash" Page 302. 2nd Edition. Microsoft. 2002.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-03-03Internal CWE Team
Modifications
Modification DateModifierOrganizationSource
2009-10-29CWE Content TeamMITREInternal
updated Relationships
Back to top