Use of a One-Way Hash without a Salt
Weakness ID: 759 (Weakness Class)Status: Incomplete
+ Description

Description Summary

The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input.

Extended Description

This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables.

+ Observed Examples
CVE-2008-1526Router does not use a salt with a hash, making it easier to crack passwords.
CVE-2008-4905Blogging software uses a hard-coded salt when calculating a password hash.
CVE-2006-1058Router does not use a salt with a hash, making it easier to crack passwords.
+ Background Details

In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base327Use of a Broken or Risky Cryptographic Algorithm
Research Concepts (primary)1000
+ References
Robert Graham. "The Importance of Being Canonical". 2009-02-02. <>.
Thomas Ptacek. "Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes". 2007-09-10. <>.
James McGlinn. "Password Hashing". <>.
Jeff Atwood. "Rainbow Hash Cracking". 2007-09-08. <>.
"Rainbow table". Wikipedia. 2009-03-03. <>.
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 9, "Creating a Salted Hash" Page 302. 2nd Edition. Microsoft. 2002.
+ Content History
Submission DateSubmitterOrganizationSource
2009-03-03Internal CWE Team
Modification DateModifierOrganizationSource
2009-10-29CWE Content TeamMITREInternal
updated Relationships