Home / Vulnerability Database / Ruby : Nil salt
Ruby
Ruby : Nil salt
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
OWASP MASVS
HIPAA
CWE/SANS Top 25 2011
Overview
It is not recommended to use salt with the null value.
One of the attack methods on a password authentication system uses tables of pre-computed hash values of popular passwords. Salt is an arbitrary string, which is fed into the hash function concatenated with the original data (usually a password) in order to prevent such an attack.
Constant salt hardcoded in the application’s source code may jeopardize the security of the system. At least, the value of the salt is accessible to all the application developers. If the same salt value is used in the final version of the application, it will be possible to remove it only through an update.
References
- CWE-759: Use of a One-Way Hash without a Salt
- CWE-916: Use of Password Hash With Insufficient Computational Effort
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- OWASP: Password Storage Cheat Sheet
- Salt and pepper, please: a note on password storage - blog.filippo.io
MEDIUM
DerScanner Severity Score
Do you want to fix Ruby : Nil salt in your application?
See also
Ruby
Ruby : Weak hashing algorithm
Ruby
Ruby : Empty encryption key
Ruby