VariantIncomplete

CWE-759Use of a One-Way Hash without a Salt

Category: other

Description

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

Common consequences· 1

  • Access Control — Bypass Protection Mechanism, Gain Privileges or Assume Identity
    If an attacker can gain access to the hashes, then the lack of a salt makes it easier to conduct brute force attacks using techniques such as rainbow tables.

Potential mitigations· 3

  • [Architecture and Design]
  • [Architecture and Design]If a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password.
  • [Implementation, Architecture and Design]When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

References

  1. https://cwe.mitre.org/data/definitions/759.html

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2025-10205cve-2025-102050%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Use of a One-Way Hash with a Predictable Salt
CWE
Use of Password Hash With Insufficient Computational Effort
CWE
Use of Single-factor Authentication
CWE
Use of Password Hash Instead of Password for Authentication
CWE
Use of Weak Hash
CWE
Inadequate Encryption Strength
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.