SYM_JSTS_0131 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Password Hash With Insufficient Computational Effort
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-916: Use of Password Hash With Insufficient Computational Effort |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description
The code uses Argon2 for password hashing but does not explicitly select the Argon2id variant, which is recommended for stronger protection against certain attacks. Using Argon2d or Argon2i instead can leave password hashes more vulnerable if an attacker gains access to the system.
Impact
If Argon2id is not used, attackers with access to the computing environment may exploit weaknesses in Argon2d or Argon2i, potentially making password cracking easier. This can lead to compromised user accounts and broader security breaches if passwords are stolen.