Insecure Argon2 type used for password hashing.
- Rule ID: javascript_lang_weak_password_hash_argon2
- Languages: javascript
- Source: weak_password_hash_argon2.yml
Description
Out of the three variants of the Argon2 algorithm (Argon2i, Argon2d, Argon2id), Argon2id is the recommended choice because it offers the best protection.
Recommendations
❌ Do not override the default type (Argon2id) when using the Argon2 library
const argon2 = require("argon2");
const hash = await argon2.hash(req.params.password, { type: argon2.argon2i })
Resources
Associated CWE
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-916: Use of Password Hash With Insufficient Computational Effort
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_lang_weak_password_hash_argon2
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_lang_weak_password_hash_argon2
Ready to take the next step? Learn more about Bearer Cloud.