Use of a One-Way Hash with a Predictable Salt
Weakness ID: 760 (Weakness Class)Status: Incomplete
+ Description

Description Summary

The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input.

Extended Description

This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.

+ Observed Examples
CVE-2002-1657Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.
CVE-2001-0967Server uses a constant salt when encrypting passwords, simplifying brute force attacks.
CVE-2005-0408chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
+ Background Details

In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base327Use of a Broken or Risky Cryptographic Algorithm
Research Concepts (primary)1000
+ References
Robert Graham. "The Importance of Being Canonical". 2009-02-02. <>.
Thomas Ptacek. "Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes". 2007-09-10. <>.
James McGlinn. "Password Hashing". <>.
Jeff Atwood. "Rainbow Hash Cracking". 2007-09-08. <>.
"Rainbow table". Wikipedia. 2009-03-03. <>.
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 9, "Creating a Salted Hash" Page 302. 2nd Edition. Microsoft. 2002.
+ Content History
Submission DateSubmitterOrganizationSource
2009-03-03Internal CWE Team
Modification DateModifierOrganizationSource
2009-10-29CWE Content TeamMITREInternal
updated Observed Examples, Relationships