Cryptographic failures occur when sensitive data is not adequately protected. This includes using weak algorithms, hardcoded keys, deprecated protocols, and improper key management.
Using MD5, SHA-1, or unsalted hashes for passwords
Examples: MD5, SHA-1, plain SHA-256
API keys, passwords, and tokens in source code
Examples: AWS keys, JWT secrets
Deprecated protocols and cipher suites
Examples: TLS 1.0, RC4, 3DES
Using Math.random() for security purposes
Examples: Predictable tokens, IVs
Using encryption modes that leak patterns
Examples: AES-ECB reveals patterns
Transmitting or storing sensitive data in plaintext
Examples: HTTP, unencrypted DBs
| Algorithm | Bits | Crack Time | Status | Notes |
|---|---|---|---|---|
| MD5 | 128 | < 1 second | DEPRECATED | Collision attacks proven since 2004. Never use for security. |
| SHA-1 | 160 | ~$45,000 (cloud) | DEPRECATED | SHAttered attack (2017) broke SHA-1. Deprecated by NIST. |
| SHA-256 | 256 | ~10^50 years | SECURE | Part of SHA-2 family. Currently secure for most applications. |
| SHA-384 | 384 | ~10^75 years | SECURE | SHA-2 variant with larger output. Good for high-security needs. |
| SHA-512 | 512 | ~10^100 years | SECURE | Strongest SHA-2 variant. Recommended for long-term security. |
| SHA-3-256 | 256 | ~10^50 years | SECURE | Keccak-based. Different design than SHA-2, quantum-resistant properties. |
| bcrypt | 184 | Configurable (slow) | SECURE | Password hashing with adaptive cost. Recommended for passwords. |
| Argon2id | 256 | Memory-hard | SECURE | Winner of PHC. Best choice for password hashing. Memory-hard. |
Built by an OWASP Member • Part of the OWASP Web Security Lab Series