051 – Cracked weak credentials

Description

The low complexity of the hashes stored in the database considerably reduces the amount of time required to crack them.

Impact

Unauthorized access, or even the insufficient data validation can make the system vulnerable.

Recommendation

Ensure that functions of password summary have a minimum size of 256 bits.

Threat

Authenticated attacker from Internet with access to the hashes.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 134 - Store passwords with salt
• 135 - Passwords with random salt
• 150 - Set minimum size for hash functions

Fixes

• Csharp
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/08