Usage of weak encryption algorithm on a password (RC4)

• Rule ID: ruby_lang_weak_password_encryption_rc4
• Languages: ruby
• Source: weak_password_encryption_rc4.yml

Description

Using a weak encryption algorithm like RC4 for passwords increases the risk of security breaches. Encryption, being reversible, is not suitable for password storage because it allows the original password to be retrieved. Passwords should instead be hashed, an irreversible process that transforms them into a fixed-size string of characters.

Remediations

• Do not use encryption algorithms, including RC4, for password storage. Encryption's reversible nature makes it inappropriate for securing passwords.

• Do use strong hashing algorithms such as bcrypt or Argon2id for password storage. These algorithms are designed to securely hash passwords, making them much harder to crack.

  BCrypt::Password.create("password_123")

  hasher = Argon2::Password.new()
  hasher.create("password_123")

References

• OWASP Password Storage Cheat Sheet
• BCrypt Explained
• ruby-argon2

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_weak_password_encryption_rc4

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_weak_password_encryption_rc4