Dart Cryptography Argon2 Weak Hash Length
Description
This detector identifies weak hash lengths in Dart Argon2 password hashing implementations. Argon2 with insufficient hash length (typically less than 32 bytes) produces cryptographically weak hashes that are more susceptible to brute force attacks and may not provide adequate security for password storage.
Detection Strategy
• Scans Dart code for imports of cryptography packages containing Argon2 functionality
• Identifies calls to Argon2 hashing functions (like Argon2id) from imported cryptography libraries
• Examines the 'hashLength' parameter in Argon2 function calls
• Reports a vulnerability when the hashLength parameter is set to a value considered cryptographically weak (typically less than 32 bytes)
• Only triggers when both the Argon2 function call and weak hash length parameter are present in the same code location
Vulnerable code example
import 'package:cryptography/cryptography.dart';
Future<void> weakArgon2() async {
final algorithm = Argon2id(
parallelism: 1,
memory: 65536,
iterations: 3,
hashLength: 8, // VULNERABLE: Below AES-128 minimum of 16 bytes...✅ Secure code example
import 'package:cryptography/cryptography.dart';
Future<void> secureArgon2() async {
final algorithm = Argon2id(
parallelism: 1,
memory: 65536,
iterations: 3,
hashLength: 32, // SECURE: 32 bytes meets AES-256 standard and modern recommendations...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.