CWE-759 Use of a One-Way Hash without a Salt
What this means
SiteShadow flagged password/credential hashing that does not use a unique salt. Without a salt, identical passwords produce identical hashes, making offline cracking much easier.
Why it matters
Unsalted hashes are vulnerable to rainbow table attacks.
- Fast offline cracking after a database leak (precomputed tables work well without salts).
- Password reuse correlation: attackers can spot users who share the same password.
- Higher breach impact: even "strong-ish" passwords fall quickly at scale.
Safer examples
1) Use a password hashing algorithm that includes salts (recommended)
Use Argon2id, bcrypt, scrypt, or PBKDF2 (see CWE-916).
import bcrypt
pw_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())2) Never use raw SHA-256/MD5 for passwords
Fast general-purpose hashes are not password hashing.
3) Store and verify correctly
Store the full encoded hash output (which includes the salt/params), and verify using the library's verify function.
How SiteShadow detects it (high level)
- Detects one-way hashing used for password storage without per-password salts.
- Flags use of fast hashes (MD5/SHA1/SHA256) for password-like fields.
References
- CWE-759: https://cwe.mitre.org/data/definitions/759.html
---