Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms :: Recipe Details

Recipe Name:

Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms

Description:

Could lead to data exposure

Level:

error

Language:

java

Tags:

Spring
security
framework specific
Spring Security

Documentation

Passwords should be hashed using strong algorithms, such as the BCryptPasswordEncoder.

Before

PasswordEncoder passwordEncoder = new ShaPasswordEncoder();

After

PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();

Resources

Owasp Cheat sheet: Password Storage - bcrypt

Recipe

id: scw:spring:security:hash-passwords
version: 10
metadata:
  name: 'Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms'
  shortDescription: Could lead to data exposure
  level: error
  language: java
  newCodeOnly: false
  scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
  enabled: true
  descriptionFile: descriptions/DataProtectionSecureDataStorageAvoidDataExposureHashpasswordsusingstronghashingalgorithms.html
  tags: Spring;security;framework specific;Spring Security
search:
  instanceCreation:
    not:
      anyOf:
      - in:
          assignment:
            variableType:
              reference:
                matches: (.*ShaPasswordEncoder|Md.PasswordEncoder|MessageDigestPasswordEncoder|StandardPasswordEncoder|PlaintextPasswordEncoder)
              checkInheritance: false
    type:
      reference:
        matches: (.*ShaPasswordEncoder|Md.PasswordEncoder|MessageDigestPasswordEncoder|StandardPasswordEncoder|PlaintextPasswordEncoder)
      checkInheritance: false
availableFixes:
- name: Use BCryptPasswordEncoder
  actions:
  - rewrite:
      to: new org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder()