Using a constant salt for PBKDF2 GO-S1038
Security
Major
a02
owasp top 10
cwe-760
In cryptography, a salt is random data used as an additional input to a one-way function that hashes data. Using a constant salt is dangerous as a pre-computed table that accounts for the salt will render the salt useless.
Bad practice
package main
import (
"crypto/sha256"
"golang.org/x/crypto/pbkdf2"
)
func foo() {
salt := []byte("salt")
pbkdf2.Key([]byte("pass"), salt, 2000, 64, sha256.New)
}
Recommended
package main
import (
"crypto/sha256"
"golang.org/x/crypto/pbkdf2"
)
func foo(salt []byte) { // assuming salt comes from a cryptographically secure pseudo-random number generator (CSPRNG)
pbkdf2.Key([]byte("pass"), salt, 310000, 64, sha256.New)
}