CWE-327HighMITRE entry

Broken Cryptography

Use of a Broken or Risky Cryptographic Algorithm

What it is

CWE-327 covers the use of cryptographic algorithms that are known to be broken (DES, MD4), known to be unsuitable for the use case (MD5 for password hashing, ECB mode for encryption), or used incorrectly (predictable IVs, missing authentication on ciphertexts).

Why it matters

Broken cryptography is one of the most frequently-cited weaknesses in regulatory enforcement actions. PCI-DSS, HIPAA, FedRAMP, and CMMC all require specific algorithm and key-strength minimums. Use of MD5 or SHA-1 for password hashing has been the root cause of multiple credential-stuffing follow-on attacks because attackers can crack the hashes offline.

Common patterns

  • Password hashing with MD5, SHA-1, SHA-256, or other fast hashes instead of bcrypt, argon2, scrypt, or PBKDF2.
  • Symmetric encryption with ECB mode (visible patterns) or CBC without HMAC (padding oracle).
  • Hardcoded IVs or using zero IVs.
  • Weak random number generation (Math.random, rand(), time-seeded PRNGs) for cryptographic purposes.
  • DES, 3DES, RC4, or Blowfish in new code.
  • Custom or in-house cryptography ('rolled their own crypto').

Languages affected

PythonJavaScriptTypeScriptJavaGoRubyPHPC#

What Deva detects

Deva matches algorithm names, mode constructors, and library calls. The scanner flags hashlib.md5/sha1 used with password-like variables, javax.crypto.Cipher.getInstance with 'DES', 'RC4', or '/ECB/' modes, hardcoded byte arrays passed as IVs, and use of Math.random where the value is used as a token or salt. The fix recommendation depends on context: bcrypt/argon2 for passwords, AES-GCM (or ChaCha20-Poly1305) for symmetric encryption, ECDSA P-256 or Ed25519 for signing.

Example

Vulnerable

import hashlib

def hash_password(password):
    return hashlib.sha256(password.encode()).hexdigest()

Fixed

from passlib.hash import argon2

def hash_password(password: str) -> str:
    return argon2.hash(password)

def verify_password(password: str, stored_hash: str) -> bool:
    return argon2.verify(password, stored_hash)

Explanation

SHA-256 is a fast cryptographic hash. Modern GPUs compute billions of SHA-256 hashes per second. Once an attacker exfiltrates the hashed-password table, they can crack typical passwords offline in hours. argon2 (the current best practice, recommended by OWASP) is purposefully slow and memory-hard, raising the offline cracking cost by orders of magnitude. bcrypt and scrypt are also acceptable.

Where this fits in OWASP Top 10

A02
Cryptographic Failures
Sensitive data exposed because cryptography is missing, weak, or misused.

Compliance framework mapping

FrameworkControls
OWASP Top 10 (2021)
A02:2021 Cryptographic Failures
NIST 800-53 Rev 5
SC-13 Cryptographic ProtectionIA-5 Authenticator Management
PCI-DSS v4.0
3.6 Cryptographic key management8.3.2 Strong cryptography for credentials
HIPAA Security Rule
164.312(a)(2)(iv) Encryption and Decryption
FedRAMP
SC-13 Cryptographic Protection

Related CWEs

CWE-326Inadequate encryption strength.
CWE-338Use of cryptographically weak PRNG.
CWE-759Use of a one-way hash without a salt.
CWE-916Use of password hash with insufficient computational effort.

Deva detects CWE-327 alongside 970+ other CWE patterns at write time, with AI-assisted fix generation that maintains compliance.

Try DevaBack to CWE index