Insecure Encryption Algorithm - MD5
Need
To secure user passwords using cryptographically secure hashing algorithms.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Ecto (3.6.2 and above) for database query and manipulation
- Usage of Comeonin for password hashing and encryption
- Usage of Bcrypt_elixir for secure password hashing and verification
Description
Non compliant code
defmodule MyApp.User do
use Ecto.Schema
schema "users" do
field :password_hash, :string
end
def hash_password(password) do
:crypto.hash(:md5, password)
end
end
This code is vulnerable because it uses the MD5 hash function which is considered insecure. It could allow an attacker to easily crack captured credentials.
Steps
- Replace the insecure MD5 hash function with a secure one like PBKDF2 or Bcrypt.
- Use the Bcrypt library provided by 'Comeonin' and 'Bcrypt_elixir' to hash passwords.
Compliant code
defmodule MyApp.User do
use Ecto.Schema
import Comeonin.Bcrypt
schema "users" do
field :password_hash, :string
end
def hash_password(password) do
hashpwsalt(password)
end
end
In this secure code example, we've replaced the MD5 hash function with Bcrypt, which is considered secure. This will effectively mitigate the risks associated with MD5.