Insecure hashing algorithm

ID

c.cryptography.insecure_api_crypt

Severity

critical

Resource

Cryptography

Language

C / C++

Description

The crypt and crypt_r functions are not recommended for password hashing due to the significantly small key space (56 bits). Modern hardware can brute-force passwords hashes created with crypt relatively quickly. Consider using one of the Argon2id, scrypt or bcrypt password hashing algorithms.

Rationale

The crypt and crypt_r functions are not recommended for password hashing due to the significantly small key space (56 bits). Modern hardware can brute-force passwords hashes created with crypt relatively quickly. Consider using one of the Argon2id, scrypt or bcrypt password hashing algorithms.

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References