Cryptographic Failures & Sensitive Data Exposure (A02:2021)

Protecting sensitive data is paramount. A common failure is using weak cryptographic algorithms or storing passwords in plain text.

The Problem: Weak Hashing

Legacy algorithms like MD5 and SHA-1 are mistakenly used for password hashing. They are fast, which is bad for passwords because it allows attackers to brute-force billions of hashes per second.

python

# VULNERABLE - DO NOT USE
import hashlib
password = "supersecret"
# MD5 is broken and too fast
hash = hashlib.md5(password.encode()).hexdigest()

Data Protection Architecture

Data should be encrypted in transit and at rest.

The Fix: Strong Hashing

Use work-factor based algorithms like Argon2 or BCrypt.

python

# SECURE - Use Argon2
from argon2 import PasswordHasher

ph = PasswordHasher()
hash = ph.hash("correct horse battery staple")

# Verify
try:
    ph.verify(hash, "correct horse battery staple")
    print("Password ok")
except:
    print("Invalid password")

Cryptographic Failures & Sensitive Data Exposure (A02:2021) ​

The Problem: Weak Hashing ​

Data Protection Architecture ​

The Fix: Strong Hashing ​

Cryptographic Failures & Sensitive Data Exposure (A02:2021)

The Problem: Weak Hashing

Data Protection Architecture

The Fix: Strong Hashing