Insecure Encryption Algorithm - MD5 - Elixir

Need

To secure user passwords using cryptographically secure hashing algorithms.

Context

1. Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
2. Usage of Ecto (3.6.2 and above) for database query and manipulation
3. Usage of Comeonin for password hashing and encryption
4. Usage of Bcrypt_elixir for secure password hashing and verification

Description

Insecure Code Example

defmodule MyApp.User do
  use Ecto.Schema

  schema "users" do
    field :password_hash, :string
  end

  def hash_password(password) do
    :crypto.hash(:md5, password)
  end
end

This code is vulnerable because it uses the MD5 hash function which is considered insecure. It could allow an attacker to easily crack captured credentials.

Steps

1. Replace the insecure MD5 hash function with a secure one like PBKDF2 or Bcrypt.
2. Use the Bcrypt library provided by 'Comeonin' and 'Bcrypt_elixir' to hash passwords.

Secure Code Example

defmodule MyApp.User do
  use Ecto.Schema
  import Comeonin.Bcrypt

  schema "users" do
    field :password_hash, :string
  end

  def hash_password(password) do
    hashpwsalt(password)
  end
end

In this secure code example, we've replaced the MD5 hash function with Bcrypt, which is considered secure. This will effectively mitigate the risks associated with MD5.

References

Last updated

2023/09/18