Usage of weak hashing library on a password (Argon2)

Description

Out of the three variants of the Argon2 algorithm (Argon2i, Argon2d, Argon2id), Argon2id is the recommended choice because it offers the best protection.

Recommendations

❌ Do not override the default type (Argon2id) when using the Argon2 library

  const argon2 = require("argon2");

const hash = await argon2.hash(req.params.password, { type: argon2.argon2i })

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_weak_password_hash_argon2

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_weak_password_hash_argon2

Ready to take the next step? Learn more about Bearer Cloud.