Go Pbkdf2 Insufficient Iteration Count
Description
This detector identifies PBKDF2 key derivation functions in Go code that use insufficient iteration counts for password hashing. PBKDF2 with low iteration counts is vulnerable to brute force attacks as modern hardware can quickly compute hashes, compromising password security.
Detection Strategy
• Scans Go source code files for imports of PBKDF2 libraries (golang.org/x/crypto/pbkdf2 or crypto/pbkdf2)
• Identifies calls to PBKDF2 Key functions from imported libraries
• Analyzes the iteration count parameter in PBKDF2.Key() function calls
• Reports vulnerabilities when iteration count is below secure thresholds (typically less than 100,000 iterations)
• Checks both extended crypto library (golang.org/x/crypto/pbkdf2) and standard library (crypto/pbkdf2) implementations
• Excludes test files from analysis to focus on production code
Vulnerable code example
package main
import (
"crypto/sha256"
"golang.org/x/crypto/pbkdf2"
)
func deriveKey(password string, salt []byte) []byte {...✅ Secure code example
package main
import (
"crypto/sha512"
"golang.org/x/crypto/pbkdf2"
)
func deriveKey(password string, salt []byte) []byte {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.