Usage of weak encryption algorithm on a password (DSA)

• Rule ID: ruby_lang_weak_password_encryption_dsa
• Languages: ruby
• Source: weak_password_encryption_dsa.yml

Description

Using a weak encryption algorithm like DSA for passwords increases the risk of data breaches. Encryption, being reversible, is not suitable for password storage because it allows the original password to be retrieved. Passwords should instead be hashed, an irreversible process that transforms them into a fixed-size string of characters.

Remediations

• Do not use encryption algorithms for password storage. Encryption is not secure enough for this purpose as it allows for the possibility of retrieving the original password.
• Do use strong hashing algorithms such as bcrypt or Argon2id for password storage. These provide a more secure way to handle passwords by making it extremely difficult to reverse the process and obtain the original password.

  BCrypt::Password.create("password_123")

  hasher = Argon2::Password.new()
  hasher.create("password_123")

References

• OWASP Password Storage Cheat Sheet
• BCrypt Explained
• ruby-argon2

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_weak_password_encryption_dsa

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_weak_password_encryption_dsa