LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-916

CWE-916

Use of Password Hash With Insufficient Computational Effort

Base

What it is

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Many password storage mechanisms compute a hash and store the hash, instead of storing the original password in plaintext. In this design, authentication involves accepting an incoming password, computing its hash, and comparing it to the stored hash.Many hash algorithms are designed to execute quickly with minimal overhead, even cryptographic hashes. However, this efficiency is a problem for password storage, because it can reduce an attacker's workload for brute-force password cracking. If an attacker can obtain the hashes through some other method (such as SQL injection on a database that stores hashes), then the attacker can store the hashes offline and use various techniques to crack the passwords by computing hashes efficiently. Without a built-in workload, modern attacks can compute large numbers of hashes, or even exhaust the entire space of all possible passwords, within a ve

Impact

Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity

Mitigations

  • [Architecture and Design]Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For
  • [Implementation, Architecture and Design] When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

Real-world CVE examples

  • CVE-2008-1526 — Router does not use a salt with a hash, making it easier to crack passwords.
  • CVE-2006-1058 — Router does not use a salt with a hash, making it easier to crack passwords.
  • CVE-2008-4905 — Blogging software uses a hard-coded salt when calculating a password hash.
  • CVE-2002-1657 — Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.
  • CVE-2001-0967 — Server uses a constant salt when encrypting passwords, simplifying brute force attacks.
  • CVE-2005-0408 — chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top