Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-916 (使用具有不充分计算复杂性的口令哈希) — Vulnerability Class 44

44 vulnerabilities classified as CWE-916 (使用具有不充分计算复杂性的口令哈希). AI Chinese analysis included.

CWE-916 represents a critical cryptographic weakness where systems store password hashes using algorithms that require insufficient computational effort, thereby failing to impede brute-force or dictionary attacks. Attackers typically exploit this vulnerability by employing high-speed hardware, such as GPUs or ASICs, to rapidly guess millions of potential passwords against the stored hash. Because the hashing process is too fast, the time required to crack credentials becomes negligible, leading to unauthorized access and data breaches. To mitigate this risk, developers must implement adaptive hashing functions like bcrypt, scrypt, or Argon2, which allow for configurable work factors. By intentionally increasing the computational cost of hashing, organizations ensure that even with powerful hardware, attackers face prohibitive time and resource constraints, effectively rendering large-scale password cracking infeasible.

MITRE CWE Description
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. Many password storage mechanisms compute a hash and store the hash, instead of storing the original password in plaintext. In this design, authentication involves accepting an incoming password, computing its hash, and comparing it to the stored hash. Many hash algorithms are designed to execute quickly with minimal overhead, even cryptographic hashes. However, this efficiency is a problem for password storage, because it can reduce an attacker's workload for brute-force password cracking. If an attacker can obtain the hashes through some other method (such as SQL injection on a database that stores hashes), then the attacker can store the hashes offline and use various techniques to crack the passwords by computing hashes efficiently. Without a built-in workload, modern attacks can compute large numbers of hashes, or even exhaust the entire space of all possible passwords, within a very short amount of time, using massively-parallel computing (such as cloud computing) and GPU, ASIC, or FPGA hardware. In such a scenario, an efficient hash algorithm helps the attacker. There are several properties of a hash scheme that are relevant to its strength against an offline, massively-parallel attack: The amount of CPU time required to compute the hash ("stretching") The amount of memory r…
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes.
Mitigations (2)
Architecture and DesignUse an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For ex…
Effectiveness: High
Implementation, Architecture and DesignWhen using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
Examples (1)
In this example, a new user provides a new username and password to create an account. The program hashes the new user's password then stores it in a database.
def storePassword(userName,Password): hasher = hashlib.new('md5') hasher.update(Password) hashedPassword = hasher.digest() # UpdateUserLogin returns True on success, False otherwise return updateUserLogin(userName,hashedPassword)
Bad · Python
def storePassword(userName,Password): hasher = hashlib.new('md5',b'SaltGoesHere') hasher.update(Password) hashedPassword = hasher.digest() # UpdateUserLogin returns True on success, False otherwise return updateUserLogin(userName,hashedPassword)
Good · Python
CVE IDTitleCVSSSeverityPublished
CVE-2021-43989 mySCADA myPRO — myPRO 7.5 High2021-12-23
CVE-2021-38400 Use of Password Hash with Insufficient Computational Effort for Boston Scientific Zoom Latitude — ZOOM LATITUDE 6.9 Medium2021-10-04
CVE-2021-33003 Delta Electronics DIAEnergie 加密问题漏洞 — Delta Electronics DIAEnergie 6.2 -2021-08-30
CVE-2021-32519 QSAN Storage Manager, XEVO, SANOS - Use of Password Hash With Insufficient Computational Effort — Storage Manager 9.8 Critical2021-07-07
CVE-2021-22741 Schneider Electric EcoStruxure Geo SCADA Expert 安全漏洞 — ClearSCADA (all versions), EcoStruxure Geo SCADA Expert 2019 (all versions), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior) 8.4 -2021-05-26
CVE-2020-14516 Rockwell Automation FactoryTalk Services Platform 安全漏洞 — Rockwell Automation FactoryTalk Services Platform 10.0 -2021-03-18
CVE-2020-6780 Password Hash With Insufficient Computational Effort in the Database of Bosch FSM-2500 Server and Bosch FSM-5000 Server — FSM-2500 4.4 Medium2021-01-25
CVE-2020-14389 Red Hat Single Sign-On 安全漏洞 — keycloak 8.1 -2020-11-17
CVE-2020-14512 USE OF PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT CWE-916 — GateManager 8.1 High2020-08-25
CVE-2020-10040 Siemens SICAM MMU、SGU和T 安全漏洞 — SICAM MMU 5.5 -2020-07-14
CVE-2018-13811 Siemens SIMATIC STEP 7 安全漏洞 — SIMATIC STEP 7 (TIA Portal) 5.5 -2018-12-13
CVE-2018-15717 Open Dental 安全漏洞 — Open Dental 7.5 -2018-12-12
CVE-2018-10618 Davolink DVW-3200N 安全漏洞 — DVW-3200N 9.8 -2018-08-01
CVE-2014-2354 Cogent DataHub Use of Password Hash With Insufficient Computational Effort — DataHub 9.8 -2014-05-30

Vulnerabilities classified as CWE-916 (使用具有不充分计算复杂性的口令哈希) represent 44 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.