Using a weak hashing algorithm to protect sensitive data can compromise the security guarantees the hash is meant to provide.
Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, and SHA-1 are no longer considered secure, because it is computationally feasible to find two different inputs that produce the same hash output — a collision. Message authentication code (MAC) algorithms such as HMAC-MD5 or HMAC-SHA1 use these weak hash functions as building blocks and are likewise considered legacy algorithms. When a weak hashing algorithm is used to protect sensitive data — such as storing passwords, generating security tokens, or verifying data integrity — its weakness can be exploited to defeat that protection.
When weak hashing is used for password storage or security tokens, an attacker who obtains the hashed values can recover the original data more easily through brute force or precomputed (rainbow table) attacks.
When weak hashing is used to verify the integrity of data or downloaded files, an attacker can craft a different input that produces the same hash, allowing them to substitute malicious content without detection.
To hash passwords or other sensitive data, use a slow, memory-hard algorithm specifically designed for that purpose. In order of preference:
Argon2, scrypt, bcrypt, or PBKDF2. These algorithms make brute-force and rainbow-table attacks
computationally expensive.
For non-sensitive use cases such as data integrity or fingerprinting, use a modern cryptographic hash function such as SHA-256,
SHA-512, or SHA-3.
The following noncompliant example uses a weak hashing algorithm that is vulnerable to collision and preimage attacks.
const crypto = require("crypto");
const hash = crypto.createHash('sha1'); // Noncompliant
const crypto = require("crypto");
const hash = crypto.createHash('sha512');