Insecure hashing algorithm
Description
The crypt functions are not recommended due to the significantly small key space. Modern hardware can crack crypt produced passwords relatively quickly. Consider using the Argon2id password hashing algorithm provided by libsodium.
Examples
Insecure Code
c
password = crypt(password);Secure Code
c
password = argon2id_hash(password);Remediation
Replace crypt or crypt_r with a secure password hashing algorithm like Argon2id from libsodium.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0588 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | password hashing, insecure algorithm |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |