Audit required: Use of an insecure hashing function PHP-A1004

Using md5(), sha1() function is not recommended to generate secure passwords. Due to its fast nature to compute passwords too quickly, these functions can become really easy to crack a password using brute force attack.

It is recommended to use PHP's password hashing function password_hash() to create a secure password hash.

In past it has led to the following vulnerabilities:

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm
• CWE-916: Use of Password Hash With Insufficient Computational Effort

It is also found that these functions can be used to generate random string from given data. But doing it is not a secure way to generate a secure random string.

It is recommended to create a random secure string using existing packages like RandomLib or Security Utility. It can help you do things like secure random bytes and strings, hash(using PHP's hash() function) given data with particular salt, encrypt/decrypt the data, etc.

If you do not prefer to add a new dependency into your project, you can use this code snippet from the Stackoverflow to generate a secure string.

Bad practice

// invalid: using md5() to hash the password is not recommended
$password = md5($_GET['password']);

// invalid: using sha1() to hash the password is not recommended
$password = sha1($_GET['password']);

Recommended

// valid: use function like password_hash to hash the password
$password = password_hash($_GET['password'], PASSWORD_BCRYPT);

References

• OWASP Top 10:2021 > A02 - Cryptographic Failures
• md5() Function
• sha1() Function
• password_hash() Function
• Password Hashing Functions