Home / Vulnerability Database / Python : Null salt
Python
Python : Null salt
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
OWASP MASVS
HIPAA
CWE/SANS Top 25 2011
Overview
It is not recommended to use salt with the None value.
One of the attack methods on a password authentication system uses tables of pre-computed hash values of popular passwords. Salt is an arbitrary string, which is fed into the hash function concatenated with the original data (usually a password) in order to prevent such an attack.
Constant salt hardcoded in the application’s source code may jeopardize the security of the system. At least, the value of the salt is accessible to all the application developers. If the same salt value is used in the final version of the application, it will be possible to remove it only through an update.
References
- CWE-759: Use of a One-Way Hash without a Salt
- CWE-916: Use of Password Hash With Insufficient Computational Effort
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- OWASP: Password Storage Cheat Sheet
- Salt & pepper, please: a note on password storage - blog.filippo.io
- PyCrypto - The Python Cryptography Toolkit
- Cryptography library
- PassLib library
MEDIUM
DerScanner Severity Score
Do you want to fix Python : Null salt in your application?
See also
Python
Python : Debug mode on
Python
Python : Web3: Deprecated method
Python