Dart Cryptography Argon2 Weak Memory
Description
This detector identifies Dart applications using weak Argon2 password hashing configurations with insufficient memory parameters. Weak memory settings in Argon2 can significantly reduce the cryptographic strength of password hashing, making passwords vulnerable to brute force and dictionary attacks.
Detection Strategy
• Scans Dart source code files that import the dart_cryptography package
• Identifies calls to Argon2 deriveKey methods on Argon2id algorithm instances
• Checks if the Argon2id constructor was configured with weak memory parameters (typically memory values that are too low for secure password hashing)
• Reports vulnerability when deriveKey is called on an Argon2id instance that was created with insufficient memory allocation for cryptographic security
Vulnerable code example
import 'package:cryptography/cryptography.dart';
Future<void> weakArgon2id(String password, List<int> salt) async {
// VULNERABLE: memory 2048 KiB is below OWASP minimum 7168 KiB
await Argon2id(parallelism: 1, memory: 2048, iterations: 3, hashLength: 32)
.deriveKeyFromPassword(password: password, nonce: salt);
}✅ Secure code example
import 'package:cryptography/cryptography.dart';
Future<void> strongArgon2id(String password, List<int> salt) async {
// SAFE: memory 7168 KiB meets OWASP minimum requirements
await Argon2id(parallelism: 1, memory: 7168, iterations: 3, hashLength: 32)
.deriveKeyFromPassword(password: password, nonce: salt);
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.