Usage of weak hashing library on a password (MDx)

• Rule ID: php_lang_weak_password_hash_md
• Languages: php
• Source: weak_password_hash_md.yml

Description

Using a weak hashing library like MDx for passwords increases the risk of data breaches. MD5 for example is vulnerable to collision attacks, where two different inputs can produce the same hash value, compromising data integrity and security.

Remediations

• Do not use MD5 for hashing passwords as it is considered weak and vulnerable to attacks.

  $encrypted_password = md5($user->password); // unsafe

• Do use stronger, more secure hashing functions like those provided by password_hash in PHP for storing passwords. This function is designed to use a strong hash algorithm that is currently considered secure.

  $encrypted_password = password_hash($user->password, PASSWORD_DEFAULT);

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_weak_password_hash_md

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_weak_password_hash_md