Usage of weak hashing library on a password (SHA)

• Rule ID: ruby_lang_weak_password_hash_sha
• Languages: ruby
• Source: weak_password_hash_sha.yml

Description

Using weak hashing algorithms like SHA or SHA-1 for password storage compromises security. These algorithms are vulnerable to attacks, making it easier for attackers to crack passwords and access sensitive information.

Remediations

• Do not use SHA or SHA-1 for hashing passwords. These algorithms are no longer considered secure due to their vulnerability to various attacks.

  Digest::SHA1.hexdigest('password_123') # unsafe

• Do use stronger hashing libraries such as bcrypt or Argon2id for password encryption. These libraries provide enhanced security features that make it significantly harder for attackers to breach password data.

  BCrypt::Password.create("password_123")

  hasher = Argon2::Password.new()
  hasher.create("password_123")

References

• OWASP Password Storage Cheat Sheet
• BCrypt Explained
• ruby-argon2

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_weak_password_hash_sha

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_weak_password_hash_sha