Insecure Argon2 type used for password hashing.

Rule ID: javascript_lang_weak_password_hash_argon2
Languages: javascript
Source: weak_password_hash_argon2.yml

Description

Out of the three variants of the Argon2 algorithm (Argon2i, Argon2d, Argon2id), Argon2id is the recommended choice because it offers the best protection.

Recommendations

❌ Do not override the default type (Argon2id) when using the Argon2 library

  const argon2 = require("argon2");

  const hash = await argon2.hash(req.params.password, { type: argon2.argon2i })

Resources

Argon2 type options
OWASP Password Storage Cheat Sheet

Associated CWE

CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-916: Use of Password Hash With Insufficient Computational Effort

OWASP Top 10

A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_weak_password_hash_argon2

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_weak_password_hash_argon2

Ready to take the next step? Learn more about Bearer Cloud.