Usage of weak encryption algorithm on a password (Blowfish)

• Rule ID: ruby_lang_weak_password_encryption_blowfish
• Languages: ruby
• Source: weak_password_encryption_blowfish.yml

Description

Using a weak encryption algorithm like Blowfish for passwords increases the risk of data breaches. Encryption, being reversible, is not suitable for password storage because it allows the original password to be retrieved. Passwords should instead be hashed, an irreversible process that transforms them into a fixed-size string of characters.

Remediations

• Do not use encryption algorithms for storing passwords. Encryption is not secure enough for password management because it can be reversed to reveal the original password.

• Do use strong hashing algorithms specifically designed for password storage, such as bcrypt or Argon2id. These algorithms are more secure because they are designed to be slow and computationally expensive to reverse, making password cracking much harder.

  BCrypt::Password.create("password_123")

  hasher = Argon2::Password.new()
  hasher.create("password_123")

References

• OWASP Password Storage Cheat Sheet
• BCrypt Explained
• ruby-argon2

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_weak_password_encryption_blowfish

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_weak_password_encryption_blowfish