🔧 Can Snyk Find Weak Cryptographic Algorithms? Bye Bye MD5

Using strong cryptography is essential for data protection and application security, such as tasks required for hashing passwords (which, technically, isn’t classic cryptography for the sake of encryption). However, some legacy code may still be deployed to production using weak and outdated cryptographic algorithms that weren’t found. How can Snyk Code help you find these vulnerable applications?

The dangers of weak cryptographic algorithms

Weak and outdated algorithms, whether for encryption or hashing, pose serious security risks, potentially exposing sensitive information to attackers. Relying on inadequate implementations gives a false sense of security, leaving systems vulnerable. Understanding the limitations of older algorithms and using modern, secure cryptographic practices is essential.

Several cryptographic algorithms are now considered insecure and should be avoided. MD5, for example, is cryptographically broken and unsuitable for any security application, especially password hashing.  Because collisions can be found easily, different inputs can produce the same hash value. This lets attackers figure out the original password or create a fake one that matches the stored hash. Other examples of weak algorithms include DES and RC4, both of which have known vulnerabilities and should no longer be used.

Weak MD5 Algorithm in Java

Consider the following Java application, which relies on MD5 to hash users’ passwords:

    @PostMapping("/login")
    public String loginUser(@RequestParam String username, @RequestParam String password) {
        String hashedPassword = userDatabase.get(username);
        if (hashedPassword != null && hashedPassword.equals(hashPassword(password))) {
            return "Login successful";
        }
        return "Invalid username or password";
    }

    private String hashPassword(String password) {
        try {
            MessageDigest md = MessageDigest.getInstance("MD5");
            md.update(password.getBytes());
            byte[] digest = md.digest();
            return DatatypeConverter.printHexBinary(digest).toUpperCase();
        } catch (NoSuchAlgorithmException e) {
            return "Error: Hashing algorithm not found";
        }
    }

Note: Refer to the full GitHub source code.

You probably know better than to use MD5 to hash passwords, but what happens when you have many applications to maintain and a large number of code repositories that require you to swiftly navigate hundreds of thousands of lines of code?

If you connect Snyk to your code repositories (or integrate in any other way), it can easily and quickly scan for vulnerable code, whether it was dormant in one of your legacy applications or flawed generated using GenAI and other AI code assistants.

Snyk finds the weak MD5 algorithm and points out the source-to-sink call path in your code:

How do we fix weak MD5 algorithm in Java?

Snyk enriches the security findings, and beyond detecting the vulnerable code, it also provides a fix analysis. The following example shows how the MessageDigest API was fixed in an open source project (owasp security logging in this case) and how they fixed an outdated SHA-1 hashing algorithm to the more up-to-date version: SHA-256:

Snyk also provides best practices for employing strong algorithms for hashing and cryptography and explains the risks of storing sensitive information in plain text.

Algorithm Security Recommendations and Best Practices

You are advised to pick the right algorithms for the job. If password hashing is the task, you’d want to pick a secure cryptographic algorithm that provides protection against brute force attacks and is suitable in terms of performance for real-world applications. Some prime examples are the industry de-facto standard for decades: Bcrypt. Others include PBKDF2 or the more prominent Argon2.

Ensure to consult security best practices for cryptography, such as OWASP’s resources.

Finally, get started with Snyk (it’s free!) to win security points by finding and detecting vulnerable code, outdated dependencies, weak cryptography, and other security concerns.