Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-916 (使用具有不充分计算复杂性的口令哈希) — Vulnerability Class 44

44 vulnerabilities classified as CWE-916 (使用具有不充分计算复杂性的口令哈希). AI Chinese analysis included.

CWE-916 represents a critical cryptographic weakness where systems store password hashes using algorithms that require insufficient computational effort, thereby failing to impede brute-force or dictionary attacks. Attackers typically exploit this vulnerability by employing high-speed hardware, such as GPUs or ASICs, to rapidly guess millions of potential passwords against the stored hash. Because the hashing process is too fast, the time required to crack credentials becomes negligible, leading to unauthorized access and data breaches. To mitigate this risk, developers must implement adaptive hashing functions like bcrypt, scrypt, or Argon2, which allow for configurable work factors. By intentionally increasing the computational cost of hashing, organizations ensure that even with powerful hardware, attackers face prohibitive time and resource constraints, effectively rendering large-scale password cracking infeasible.

MITRE CWE Description
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. Many password storage mechanisms compute a hash and store the hash, instead of storing the original password in plaintext. In this design, authentication involves accepting an incoming password, computing its hash, and comparing it to the stored hash. Many hash algorithms are designed to execute quickly with minimal overhead, even cryptographic hashes. However, this efficiency is a problem for password storage, because it can reduce an attacker's workload for brute-force password cracking. If an attacker can obtain the hashes through some other method (such as SQL injection on a database that stores hashes), then the attacker can store the hashes offline and use various techniques to crack the passwords by computing hashes efficiently. Without a built-in workload, modern attacks can compute large numbers of hashes, or even exhaust the entire space of all possible passwords, within a very short amount of time, using massively-parallel computing (such as cloud computing) and GPU, ASIC, or FPGA hardware. In such a scenario, an efficient hash algorithm helps the attacker. There are several properties of a hash scheme that are relevant to its strength against an offline, massively-parallel attack: The amount of CPU time required to compute the hash ("stretching") The amount of memory r…
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes.
Mitigations (2)
Architecture and DesignUse an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For ex…
Effectiveness: High
Implementation, Architecture and DesignWhen using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
Examples (1)
In this example, a new user provides a new username and password to create an account. The program hashes the new user's password then stores it in a database.
def storePassword(userName,Password): hasher = hashlib.new('md5') hasher.update(Password) hashedPassword = hasher.digest() # UpdateUserLogin returns True on success, False otherwise return updateUserLogin(userName,hashedPassword)
Bad · Python
def storePassword(userName,Password): hasher = hashlib.new('md5',b'SaltGoesHere') hasher.update(Password) hashedPassword = hasher.digest() # UpdateUserLogin returns True on success, False otherwise return updateUserLogin(userName,hashedPassword)
Good · Python
CVE IDTitleCVSSSeverityPublished
CVE-2025-13532 Weak Password Hash in Core Privileged Access Manager (BoKS) — Core Privileged Access Manager (BoKS) 6.2 Medium2025-12-16
CVE-2025-41692 Weak/Predictable root Password — FL SWITCH 2005 6.8 Medium2025-12-09
CVE-2025-46413 BUFFALO WSR-1800AX4 Series 安全漏洞 — WSR-1800AX4 7.5 -2025-11-07
CVE-2025-7789 Xuxueli xxl-job Token Generation IndexController.java makeToken weak password hash — xxl-job 3.7 Low2025-07-18
CVE-2025-3937 Use of Password Hash with Insufficient Computational Effort — Niagara Framework 7.7 High2025-05-22
CVE-2025-24340 Bosch Rexroth ctrlX OS 安全漏洞 — ctrlX OS - Device Admin 6.5 Medium2025-04-30
CVE-2025-2349 IROAD Dash Cam FX2 Password Hash passwd weak password hash — Dash Cam FX2 3.1 Low2025-03-16
CVE-2025-2265 Santesoft Sante PACS Server HTTP.db SHA1 Hash Truncation — Sante PACS Server 7.8 High2025-03-13
CVE-2024-5743 Command Injection Vulnerability — Eve Play 9.8 Critical2025-01-13
CVE-2024-7701 Misuse of SHA256 to create an encryption key — percona-toolkit 8.4 -2024-12-15
CVE-2024-24553 Bludit uses SHA1 as Password Hashing Algorithm — Bludit 9.1AICriticalAI2024-06-24
CVE-2024-3183 Freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute force 8.1 High2024-06-12
CVE-2024-21754 Fortinet FortiOS和Fortinet FortiProxy 安全漏洞 — FortiProxy 1.7 Low2024-06-11
CVE-2024-29886 Improved security for stored password hashes — serverpod 5.3 Medium2024-03-27
CVE-2024-2365 Musicshelf SHA-1 PinningTrustManager.java weak password hash — Musicshelf 1.6 Low2024-03-10
CVE-2024-25607 Liferay Portal和Liferay DXP 安全漏洞 — Portal 8.1 High2024-02-20
CVE-2023-5846 Use of Password Hash With Insufficient Computational Effort in Franklin Fueling System TS-550 — TS-550 8.3 High2023-11-02
CVE-2022-47557 Use of Password Hash With Insufficient Computational Effort in Ormazabal products — ekorCCP 6.1 Medium2023-09-19
CVE-2023-4986 Supcon InPlant SCADA Project.xml unknown vulnerability — InPlant SCADA 2.5 Low2023-09-15
CVE-2023-34433 PiiGAB M-Bus Use of Password Hash With Insufficient Computational Effort — M-Bus SoftwarePack 7.5 High2023-07-06
CVE-2023-27580 CodeIgniter Shield Password Shucking Vulnerability — shield 7.5 High2023-03-13
CVE-2022-26115 Fortinet FortiSandbox 安全漏洞 — FortiSandbox 5.4 Medium2023-02-16
CVE-2022-40258 Weak password hashes for Redfish & API — MegaRAC SPx-12 5.3 Medium2023-01-31
CVE-2020-12069 CODESYS V3 prone to Inadequate Password Hashing — CODESYS V3 containing the CmpUserMgr 7.8 High2022-12-26
CVE-2022-40295 Authenticated sensitive information disclosure in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC. — PHP Point of Sale 4.9 -2022-10-31
CVE-2021-32997 Baker Hughes Bently Nevada 3500 - Use of Password Hash with Insufficient Computational Effort — 3500 System 1 6.x, Part No. 3060/00 8.2 High2022-05-25
CVE-2020-16231 All Bachmann M1 System Processor Modules - Use of Password Hash with Insufficient Computational Effort — M1 Hardware Controller MX207 7.2 High2022-05-19
CVE-2022-24041 多款Siemens产品安全漏洞 — Desigo DXR2 6.5 -2022-05-10
CVE-2022-1235 Weak secrethash can be brute-forced in livehelperchat/livehelperchat — livehelperchat/livehelperchat 5.3 -2022-04-05
CVE-2022-0022 PAN-OS: Use of a Weak Cryptographic Algorithm for Stored Password Hashes — PAN-OS 4.1 Medium2022-03-09

Vulnerabilities classified as CWE-916 (使用具有不充分计算复杂性的口令哈希) represent 44 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.