CWE-916: Use of Password Hash With Insufficient Computational Effort
low-riskThe product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Common Consequences
Detection Methods
According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis
According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer
According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2021-38314 | 5.3 | 91.6% | — |
| CVE-2024-3183 | 8.1 | 21.2% | — |
| CVE-2018-10618 | 9.8 | 18.5% | — |
| CVE-2018-10618 | 9.8 | 18.5% | — |
| CVE-2023-33243 | 8.1 | 13.7% | — |
| CVE-2023-33243 | 8.1 | 13.7% | — |
| CVE-2024-21754 | 1.8 | 4.9% | — |
| CVE-2005-0408 | 9.8 | 2.6% | — |
| CVE-2014-2560 | 7.5 | 2.1% | — |
| CVE-2022-23348 | 5.3 | 1.2% | — |