Usage of weak hashing library on a password (DSS)

• Rule ID: ruby_lang_weak_password_hash_dss
• Languages: ruby
• Source: weak_password_hash_dss.yml

Description

Using a weak hashing library for password storage compromises data security. Weak hashing algorithms, such as DSS, do not provide sufficient protection against brute-force attacks, making it easier for attackers to decrypt passwords.

Remediations

• Do not use DSS as a hashing algorithm for passwords. It is considered weak and vulnerable to attacks.
• Do use strong hashing libraries like bcrypt or Argon2id for password storage. These libraries are designed to secure passwords effectively against brute-force attacks.

  BCrypt::Password.create("password_123")

  hasher = Argon2::Password.new()
  hasher.create("password_123")

References

• OWASP Password Storage Cheat Sheet
• BCrypt Explained
• ruby-argon2

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_weak_password_hash_dss

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_weak_password_hash_dss