CWE-916
Use of Password Hash With Insufficient Computational Effort
BaseIncomplete
Description
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-55
CVEs mapped to this weakness (15)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2005-0408 | Cri | 0.67 | 9.8 | 0.03 | Feb 14, 2005 | CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable. | |
| CVE-2024-5743 | Cri | 0.64 | 9.8 | 0.00 | Jan 13, 2025 | An attacker could exploit the 'Use of Password Hash With Insufficient Computational Effort' vulnerability in EveHome Eve Play to execute arbitrary code. This issue affects Eve Play: through 1.1.42. | |
| CVE-2001-0967 | Cri | 0.64 | 9.8 | 0.00 | Aug 31, 2001 | Knox Arkeia server 4.2, and possibly other versions, uses a constant salt when encrypting passwords using the crypt() function, which makes it easier for an attacker to conduct brute force password guessing. | |
| CVE-2025-2265 | Hig | 0.51 | 7.8 | 0.00 | Mar 13, 2025 | The password of a web user in "Sante PACS Server.exe" is zero-padded to 0x2000 bytes, SHA1-hashed, base64-encoded, and stored in the USER table in the SQLite database HTTP.db. However, the number of hash bytes encoded and stored is truncated if the hash contains a zero byte | |
| CVE-2008-1526 | Hig | 0.49 | 7.5 | 0.00 | Mar 26, 2008 | ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), do not use a salt when calculating an MD5 password hash, which makes it easier for attackers to crack passwords. | |
| CVE-2002-1657 | Hig | 0.49 | 7.5 | 0.01 | Dec 31, 2002 | PostgreSQL uses the username for a salt when generating passwords, which makes it easier for remote attackers to guess passwords via a brute force attack. | |
| CVE-2025-24340 | Med | 0.42 | 6.5 | 0.00 | Apr 30, 2025 | A vulnerability in the users configuration file of ctrlX OS may allow a remote authenticated (low-privileged) attacker to recover the plaintext passwords of other users. | |
| CVE-2025-13532 | Med | 0.40 | 6.2 | 0.00 | Dec 16, 2025 | Insecure defaults in the Server Agent component of Fortra's Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms. This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain. | |
| CVE-2025-26486 | Med | 0.39 | 6.0 | 0.00 | Mar 19, 2025 | Broken or Risky Cryptographic Algorithm, Use of Password Hash With Insufficient Computational Effort, Use of Weak Hash, Use of a One-Way Hash with a Predictable Salt vulnerabilities in Beta80 "Life 1st Identity Manager" enable an attacker with access to password hashes to bruteforce user passwords or find a collision to ultimately while attempting to gain access to a target application that uses "Life 1st Identity Manager" as a service for authentication. This issue affects Life 1st: 1.5.2.14234. | |
| CVE-2006-1058 | Med | 0.36 | 5.5 | 0.00 | Apr 4, 2006 | BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. | |
| CVE-2025-46413 | Med | 0.28 | 4.3 | 0.00 | Nov 7, 2025 | Use of password hash with insufficient computational effort issue exists in BUFFALO Wi-Fi router 'WSR-1800AX4 series'. When WPS is enabled, PIN code and/or Wi-Fi password may be obtained by an attacker. | |
| CVE-2025-27552 | Med | 0.26 | 4.0 | 0.00 | Mar 26, 2025 | DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes. This vulnerability is associated with program files Crypt/Eksblowfish/Bcrypt.pm. This issue affects DBIx::Class::EncodedColumn until 0.00032. | |
| CVE-2025-27551 | Med | 0.26 | 4.0 | 0.00 | Mar 26, 2025 | DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes. This vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm. This issue affects DBIx::Class::EncodedColumn until 0.00032. | |
| CVE-2025-7789 | Low | 0.17 | 3.7 | 0.00 | Jul 18, 2025 | A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to password hash with insufficient computational effort. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | |
| CVE-2014-2354 | 0.00 | — | 0.00 | May 30, 2014 | Cogent DataHub before 7.3.5 does not use a salt during password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack. |