1. Home
  2. CWE Database
  3. CWE-836
Base · Medium

CWE-836: Use of Password Hash Instead of Password for Authentication

The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

CWE-836 · Base Level ·2 CVEs

Description

The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Some authentication mechanisms rely on the client to generate the hash for a password, possibly to reduce load on the server or avoid sending the password across the network. However, when the client is used to generate the hash, an attacker can bypass the authentication by obtaining a copy of the hash, e.g. by using SQL injection to compromise a database of authentication credentials, or by exploiting an information exposure. The attacker could then use a modified client to replay the stolen hash without having knowledge of the original password. As a result, the server-side comparison against a client-side hash does not provide any more security than the use of passwords without hashing.

Potential Impact

Access Control

Bypass Protection Mechanism, Gain Privileges or Assume Identity

Real-World CVE Examples

CVE IDDescription
CVE-2009-1283Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282).
CVE-2005-3435Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument.

CWE-1390: Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does ...

CWE-602: Client-Side Enforcement of Server-Side Security

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the s...

Frequently Asked Questions

What is CWE-836?

CWE-836 (Use of Password Hash Instead of Password for Authentication) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

How can CWE-836 be exploited?

Attackers can exploit CWE-836 (Use of Password Hash Instead of Password for Authentication) to bypass protection mechanism, gain privileges or assume identity. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-836?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-836?

CWE-836 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.