Insecure Argon2 type used for password hashing.

Description

Out of the three variants of the Argon2 algorithm (Argon2i, Argon2d, Argon2id), Argon2id is the recommended choice because it offers the best protection.

Recommendations

❌ Do not override the default type (Argon2id) when using the Argon2 library

  const argon2 = require("argon2");

const hash = await argon2.hash(req.params.password, { type: argon2.argon2i })

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_weak_password_hash_argon2

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_weak_password_hash_argon2

Ready to take the next step? Learn more about Bearer Cloud.