Cryptographic operations should use proven, standard algorithms rather than custom implementations.

Why is this an issue?

Non-standard cryptographic algorithms are those that have not been publicly vetted by the security community or that implement cryptographic primitives in a custom way. Creating a custom cryptographic algorithm by subclassing standard cryptographic base classes bypasses the rigorous testing and peer review that established algorithms undergo. Custom implementations are likely to contain subtle flaws that could be exploited to break the protection the algorithm is supposed to provide.

What is the potential impact?

Data compromise

When an attacker discovers a flaw in a custom cryptographic algorithm, they may be able to decrypt any data protected by it. Depending on the application, this could expose passwords, personal data, financial records, or other sensitive information.

How to fix it

This rule detects custom implementations of BasePasswordHasher subclasses for Django applications.

Code examples

Noncompliant code example

class CustomPasswordHasher(BasePasswordHasher):  # Noncompliant
    # ...

Compliant solution

from django.contrib.auth.hashers import Argon2PasswordHasher

Resources

Standards

• OWASP - Top 10 2021 Category A2 - Cryptographic Failures
• OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
• CWE - CWE-327 - Use of a Broken or Risky Cryptographic Algorithm