Usage of weak encryption algorithm on a password (RSA)

• Rule ID: ruby_lang_weak_password_encryption_rsa
• Languages: ruby
• Source: weak_password_encryption_rsa.yml

Description

Using a weak encryption algorithm like 1024-bit RSA for passwords increases the risk of data breaches. Encryption, being reversible, is not suitable for password storage because it allows the original password to be retrieved. Passwords should instead be hashed, an irreversible process that transforms them into a fixed-size string of characters.

Remediations

• Do not use 1024-bit RSA encryption for passwords as it is considered weak and vulnerable to attacks.
• Do use stronger encryption methods such as bcrypt or Argon2id for securing passwords. These libraries provide a higher level of security and are recommended for password storage.

BCrypt::Password.create("password_123")

hasher = Argon2::Password.new()
hasher.create("password_123")

References

• OWASP Password Storage Cheat Sheet
• BCrypt Explained
• ruby-argon2

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_weak_password_encryption_rsa

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_weak_password_encryption_rsa