263 – Insecure encryption algorithm - MD5

Description

The web application uses insecure algorithms such as MD5 to hash passwords.

Impact

Crack captured credential easily.

Recommendation

Use secure hashing algorithms to store passwords like PBKDF2.

Threat

Authenticated attacker from the Internet with compromised DB hashes.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 148 - Set minimum size of asymmetric encryption
• 150 - Set minimum size for hash functions

Fixes

• Csharp
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/18