CWE-916: Use of Password Hash With Insufficient Computational Effort
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism Gain Privileges or Assume Identity
说明: If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes.
潜在缓解措施
阶段: Architecture and Design
有效性: High
阶段: Implementation Architecture and Design
描述: When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
检测方法
方法: Automated Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis
有效性: SOAR Partial
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2008-1526
Router does not use a salt with a hash, making it easier to crack passwords.
参考: CVE-2006-1058
Router does not use a salt with a hash, making it easier to crack passwords.
参考: CVE-2008-4905
Blogging software uses a hard-coded salt when calculating a password hash.
参考: CVE-2002-1657
Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.
参考: CVE-2001-0967
Server uses a constant salt when encrypting passwords, simplifying brute force attacks.
参考: CVE-2005-0408
chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |