Weak encryption library usage detected.

Rule ID: javascript_lang_weak_password_encryption
Languages: javascript
Source: weak_password_encryption.yml

Description

Passwords should be encrypted with strong encryption algorithms like aes-256-cbc

Remediations

According to OWASP: MD5, RC4, DES, Blowfish, SHA1. 1024-bit RSA or DSA, 160-bit ECDSA (elliptic curves), 80/112-bit 2TDEA (two key triple DES) are considered as weak hash/encryption algorithms and therefore shouldn't be used.

✅ Use stronger encryption algorithms when storing passwords.

const crypto = require("crypto");

const key = "secret key";
const encrypted = crypto.createHmac("es-256-cbc", key).update(user.password);

Resources

NodeJS Crypto Module

Associated CWE

CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-916: Use of Password Hash With Insufficient Computational Effort

OWASP Top 10

A02:2021 - Cryptographic Failures

Ready to take the next step? Join the Bearer Cloud waitlist.