CWE-759β€”Use of a One-Way Hash without a Salt

PUBLISHEDweakness record
released 2009-03-10 Β· last modified 2025-12-11

Metadata

CWE ID:
CWE-759
Abstraction:
Variant
Structure:
Simple
Status:
Incomplete
Release Date:
2009-03-10
Latest Modification Date:
2025-12-11

Weakness Name

Use of a One-Way Hash without a Salt

Description

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables. It should be noted that, despite common perceptions, the use of a good salt with a hash does not sufficiently increase the effort for an attacker who is targeting an individual password, or who has a large amount of computing resources available, such as with cloud-based services or specialized, inexpensive hardware. Offline password cracking can still be effective if the hash function is not expensive to compute; many cryptographic functions are designed to be efficient and can be vulnerable to attacks using massive computing resources, even if the hash is cryptographically strong. The use of a salt only slightly increases the computing requirements for an attacker compared to other strategies such as adaptive hash functions. See CWE-916 for more details.

Common Consequences

Scope:
Access Control
Impact:
Bypass Protection Mechanism, Gain Privileges or Assume Identity
Notes:
If an attacker can gain access to the hashes, then the lack of a salt makes it easier to conduct brute force attacks using techniques such as rainbow tables.

Related Weaknesses