CWE-261 Weak Encoding for Password
Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 4Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged a password being "encoded" (base64, reversible transformations, simple obfuscation) instead of being hashed with a proper password hashing function.
Why it matters
Encoded passwords can be trivially reversed and abused.
- Immediate compromise if encoded passwords leak (they can be decoded).
- Users often reuse passwords, so one leak becomes many account takeovers.
Safer examples
1) Hash passwords with a password hashing algorithm
from argon2 import PasswordHasher
ph = PasswordHasher()
stored_hash = ph.hash(password)
2) Never store "reversible" passwords
If you can recover the password, so can an attacker who gets your data.
3) Fix legacy migrations safely
If migrating from legacy storage:
- force password reset, or
- re-hash on next login after verifying legacy format
How SiteShadow detects it (high level)
- Flags password-like variables passed through reversible encodings (base64/hex) or stored directly.
- Detects missing use of password hashing libraries in password storage flows.
References
- CWE-261: https://cwe.mitre.org/data/definitions/261.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.