OWASP TOP 10 / A02:2021

Cryptographic Failures

Weak or missing protection of sensitive data in transit and at rest — previously called “Sensitive Data Exposure.”

This covers transmitting data in cleartext, using broken or weak algorithms, hard-coded or poorly managed keys, weak password hashing, and missing encryption.

The first question is always: what data needs protection (passwords, PII, tokens), and is it encrypted both in transit (TLS) and at rest with strong, current algorithms?

How to prevent it

Encrypt all sensitive data, enforce TLS, use strong algorithms (AES-GCM, Argon2/bcrypt for passwords), and manage keys properly.

Mapped weaknesses (CWE)

CWE-259 CWE-327 Use of a Broken or Risky Cryptographic Algorithm CWE-331 CWE-326 Inadequate Encryption Strength CWE-311 Missing Encryption of Sensitive Data CWE-312 Cleartext Storage of Sensitive Information

Free tools to test for it

SSL Inspector → Hash Generator → Password Strength →

Related terms

Encryption Hashing TLS / SSL

Part of the OWASP Top 10 reference. See also the CWE weaknesses and Web Security hub.