Usage of weak encryption algorithm on a password (DES)

• Rule ID: java_lang_weak_password_encryption_des
• Languages: java
• Source: weak_password_encryption_des.yml

Description

The Data Encryption Standard (DES) is recognized as a weak encryption algorithm and should not be used for securing passwords. Encryption, being reversible, is not suitable for password storage because it allows the original password to be retrieved. Passwords should instead be hashed, an irreversible process that transforms them into a fixed-size string of characters.

Remediations

• Do not use DES or any encryption method for password storage. Encryption's reversible nature poses a security risk by potentially allowing the retrieval of the original password.
• Do use a secure and recommended hashing algorithm for password storage. Hashing is a one-way process, making it impossible to reverse-engineer the original password from the hash. The following code snippet demonstrates how to use the SHA-256 hashing algorithm, which is considered secure for password hashing.

  MessageDigest md = MessageDigest.getInstance("SHA-256");

References

• Java MessageDigest class

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_weak_password_encryption_des

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_weak_password_encryption_des