Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-836: Use of Password Hash Instead of Password for Authentication

Weakness ID: 836
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Extended Description

Some authentication mechanisms rely on the client to generate the hash for a password, possibly to reduce load on the server or avoid sending the password across the network. However, when the client is used to generate the hash, an attacker can bypass the authentication by obtaining a copy of the hash, e.g. by using SQL injection to compromise a database of authentication credentials, or by exploiting an information exposure. The attacker could then use a modified client to replay the stolen hash without having knowledge of the original password.

As a result, the server-side comparison against a client-side hash does not provide any more security than the use of passwords without hashing.

+ Applicable Platforms



+ Common Consequences
Access Control

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity

An attacker could bypass the authentication routine without knowing the original password.

+ Observed Examples
Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282).
Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class287Improper Authentication
Development Concepts (primary)699
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness Base602Client-Side Enforcement of Server-Side Security
Research Concepts1000
+ Content History
Submission DateSubmitterOrganizationSource
2011-03-22MITREInternal CWE Team
Modification DateModifierOrganizationSource
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-10-30CWE Content TeamMITREInternal
updated Observed_Examples

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017