CWE-916 Insufficient Hash Effort
What this means
SiteShadow flagged password hashing that is too "fast" (or configured with too-low work factors), making offline brute-force attacks practical if hashes are leaked.
Why it matters
Fast hashes are vulnerable to brute-force attacks.
- Offline cracking at scale: attackers can try billions of guesses per second with fast hashes.
- Account takeover via password reuse once cracked.
- Breach amplification: a leak quickly turns into many compromised accounts.
Safer examples
1) Use a password hashing algorithm designed to be slow
Prefer Argon2id (best), then bcrypt/scrypt/PBKDF2 depending on your platform.
2) Configure work factors appropriately
Tune cost parameters to an acceptable latency target (e.g., ~100–300ms per hash on your server hardware) and revisit periodically.
3) Add rate limits and lockouts (defense-in-depth)
Online defenses don't fix weak hashes, but they reduce immediate abuse.
How SiteShadow detects it (high level)
- Detects fast/general-purpose hashes being used for password-like fields.
- Flags weak cost parameters (e.g., low bcrypt rounds, too-low PBKDF2 iterations) when visible in code/config.
References
- CWE-916: https://cwe.mitre.org/data/definitions/916.html
---