Usage of weak encryption algorithm on a password (DES)

• Rule ID: javascript_lang_weak_password_encryption_des
• Languages: javascript
• Source: weak_password_encryption_des.yml

Description

The Data Encryption Standard (DES) is recognized as a weak encryption algorithm and should not be used for securing passwords. Encryption, being reversible, is not suitable for password storage because it allows the original password to be retrieved. Passwords should instead be hashed, an irreversible process that transforms them into a fixed-size string of characters.

Remediations

• Do not use DES or any encryption method for password storage. Encryption's reversible nature poses a security risk by potentially allowing the retrieval of the original password.
• Do use a strong hashing algorithm like Argon2id for password storage. Hashing is one-way, making it impossible to reverse and retrieve the original password.

  const argon2 = require("argon2");
  
  const hash = await argon2.hash(req.params.password, { type: argon2.argon2id })

References

• OWASP Password Storage Cheat Sheet

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_weak_password_encryption_des

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_weak_password_encryption_des