Do not use a predictable salt このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
このルールを試す ID: csharp-security/no-predictable-salt
Language: C#
Severity: Error
Category: Security
CWE : 760
Description A salt to hash a password should always be different for each user. Otherwise, it becomes an attack vector. As mentioned on Wikipedia “The way salting is typically done is that a new salt is randomly generated for each password” .
Learn More Non-Compliant Code Examples using System.Security.Cryptography ;
class MyClass {
public static void createHashedPassword1 ( password )
{
var salt = Encoding . UTF8 . GetBytes ( "myuniquesalt" );
return new Rfc2898DeriveBytes ( password , salt );
}
public static void createHashedPassword2 ( password )
{
return new Rfc2898DeriveBytes ( password , Encoding . UTF8 . GetBytes ( "myuniquesalt" ));
}
public static void createHashedPassword3 ( password )
{
return new Rfc2898DeriveBytes ( password , GetBytes ( "myuniquesalt" ));
}
}
Compliant Code Examples using System.Security.Cryptography ;
class MyClass {
public static void createHashedPassword ( password )
{
return new Rfc2898DeriveBytes ( password , 32 );
}
}
Seamless integrations. Try Datadog Code Analysis