1.2.68. Avoid Those Hash Functions¶
The following cryptography algorithms are considered insecure, and should be replaced with new and more modern algorithms.
MD2, MD4, MD5, SHA0, SHA1, CRC, DES, 3DES, RC2, RC4.
When possible, avoid using them, may it be as PHP functions, or hashing function configurations (mcrypt, hash…). Weak cryptography is commonly used for hashing values when caching them. In such cases, security is not a primary concern. However, it may later become such, when hackers get access to the cache folders, or if the cached identifier is published. As a preventive protection, it is recommended to always use a secure hashing function.
<?php
// Weak cryptographic algorithm
echo md5('The quick brown fox jumped over the lazy dog.');
// Weak cryptographic algorthim, used with a modern PHP extension (easier to update)
echo hash('md5', 'The quick brown fox jumped over the lazy dog.');
// Strong cryptographic algorthim, used with a modern PHP extension
echo hash('sha156', 'The quick brown fox jumped over the lazy dog.');
?>
See also Secure Hash Algorithms.
1.2.68.1. Suggestions¶
Keep the current crypto, and add a call to a stronger one.
Change the crypto for a more modern one and update the related databases
1.2.68.2. Specs¶
Short name |
Security/AvoidThoseCrypto |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Quick (30 mins) |
Precision |
Very high |
Features |
hash |
Available in |