SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-916 Insufficient Hash Effort

Coverage: 4 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 3Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged password hashing that is too "fast" (or configured with too-low work factors), making offline brute-force attacks practical if hashes are leaked.

Why it matters

Fast hashes are vulnerable to brute-force attacks.

Safer examples

1) Use a password hashing algorithm designed to be slow

Prefer Argon2id (best), then bcrypt/scrypt/PBKDF2 depending on your platform.

2) Configure work factors appropriately

Tune cost parameters to an acceptable latency target (e.g., ~100–300ms per hash on your server hardware) and revisit periodically.

3) Add rate limits and lockouts (defense-in-depth)

Online defenses don't fix weak hashes, but they reduce immediate abuse.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.