Skip to main content

Cracked weak credentials

Description

The low complexity of the hashes stored in the database considerably reduces the amount of time required to crack them.

Impact

Unauthorized access, or even the insufficient data validation can make the system vulnerable.

Recommendation

Ensure that functions of password summary have a minimum size of 256 bits.

Threat

Authenticated attacker from Internet with access to the hashes.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:X
  • Score:
    • Base: 3.5
    • Temporal: 3.4
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The application should use strong hashing and encryption algorithms

function hashPassword(password) {
this.salt = crypto.randomBytes(256).toString('hex');
this.hash = crypto.pbkdf2Sync(password, this.salt,
1000, 64, `sha512`).toString(`hex`);
return
};

Non compliant code

Weak hashing algorithm used

function hashPassword(password) {
const md5sum = crypto.createHash('md5');
const res = md5sum.update(password);
return res;
};

Requirements