igbuend/weak-password-hashing-anti-pattern
skills/weak-password-hashing-anti-pattern/SKILL.md
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard weak-password-hashing-anti-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:21 PM25.7s1 file scanned
SKILL.md
- name:
- weak-password-hashing-anti-pattern
- description:
- Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
Weak Password Hashing Anti-Pattern
Severity: High
Summary
Applications use fast general-purpose hash functions (MD5, SHA-1, SHA-256) without salting for password storage, enabling rapid cracking via rainbow tables or GPU-accelerated brute-force (billions of hashes per second). Results in mass account compromise and credential stuffing attacks.
The Anti-Pattern
The anti-pattern is using cryptographic hash functions that are too fast or lack essential features like salting and adjustable work factors, making them vulnerable to offline attacks.
BAD Code Example
# VULNERABLE: Using MD5 for password hashing.
import hashlib
def hash_password_md5(password):
# MD5 is a cryptographically broken hash function.
# It is extremely fast, and rainbow tables for MD5 are widely available.
return hashlib.md5(password.encode()).hexdigest()
def verify_password_md5(password, stored_hash):
return hash_password_md5(password) == stored_hash
# Another example: plain SHA-256 without salting.
def hash_password_sha256_unsalted(password):
# SHA-256 is a strong hash for data integrity, but too fast for passwords.
# Without a salt, identical passwords result in identical hashes.
return hashlib.sha256(password.encode()).hexdigest()
# Problems:
# - Speed: MD5/SHA-256 can compute billions of hashes per second.
# - No Salt: Allows rainbow table attacks and reveals users with identical passwords.
# - No Work Factor: Cannot be slowed down to resist brute-force attacks.
GOOD Code Example
# SECURE: Use a password-hashing algorithm designed to be slow and include a unique salt.
import bcrypt # Or Argon2, scrypt
def hash_password_secure(password):
# bcrypt generates unique salt per password and supports adjustable work factor.
# Higher rounds = slower hashing = better brute-force resistance.
hashed_password = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=12))
return hashed_password.decode('utf-8') # Store the hashed password as a string.
def verify_password_secure(password, stored_hash):
# checkpw() verifies password against stored hash with constant-time comparison.
# Extracts salt and work factor from stored hash to prevent timing attacks.
return bcrypt.checkpw(password.encode('utf-8'), stored_hash.encode('utf-8'))
# Recommended algorithms (in order of current preference):
# 1. Argon2id (best practice for new applications)
# 2. bcrypt
# 3. scrypt
# Always use libraries for password hashing; never implement your own.
Detection
- Code Review: Search your codebase for password hashing implementations.
- Look for
hashlib.md5(),hashlib.sha1(), orhashlib.sha256()being used for passwords. - Check if
bcrypt,argon2, orscryptlibraries are used. - Verify that a unique, cryptographically secure salt is generated for each password.
- Look for
- Database Inspection: Look at the
passwordorpassword_hashcolumn in your user database.- Are the hashes all of the same length and format? (Suggests no salt or static salt).
- Do they start with prefixes like
$2a$(bcrypt),$argon2id$(Argon2), or$s2$(scrypt)?
- Check for plaintext passwords: Ensure that passwords are never stored in plaintext.
Prevention
- [ ] Use strong, slow, adaptive password-hashing functions.
- Argon2id: Currently the recommended algorithm for new applications.
- bcrypt: A widely used and strong algorithm.
- scrypt: Another strong algorithm.
- [ ] Always use a unique, cryptographically secure salt for each password. bcrypt and Argon2 generate salts automatically.
- [ ] Adjust the work factor (cost) appropriately. Increase the number of rounds (bcrypt) or memory/time cost (Argon2) until hashing takes about 250-500 milliseconds on your server hardware. This makes brute-forcing expensive for attackers.
- [ ] Never use fast, general-purpose hash functions like MD5, SHA-1, or plain SHA-256 for passwords. These are designed for speed, not for password storage.
- [ ] Never store plaintext passwords.
Related Security Patterns & Anti-Patterns
- Hardcoded Secrets Anti-Pattern: Password hashes are sensitive data and should be protected.
- Missing Authentication Anti-Pattern: Weak password hashing undermines the entire authentication process.
- Timing Attacks Anti-Pattern: Proper password-hashing libraries use constant-time comparisons to prevent timing attacks during verification.
References
- OWASP Top 10 A04:2025 - Cryptographic Failures
- OWASP GenAI LLM10:2025 - Unbounded Consumption
- OWASP API Security API2:2023 - Broken Authentication
- OWASP Password Storage Cheat Sheet
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-759: Use of a One-Way Hash without a Salt
- CAPEC-55: Rainbow Table Password Cracking
- PortSwigger: Authentication
- BlueKrypt - Cryptographic Key Length Recommendation
- Source: sec-context
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026
igbuend/verifiable-token-based-authentication-pattern
development
VerifiedTrustedCommunity
Security pattern for self-contained token authentication (e.g., JWT). Use when implementing stateless authentication, designing tokens with embedded claims, or building systems where tokens contain principal information and can be verified without server-side storage. Specialization of Authentication pattern.
4SKILL.mdUpdated Apr 5, 2026