In cryptography, "salt" is extra data that's included in a hashing algorithm to make dictionary attacks more difficult. Using a cryptographic hash function without an unpredictable salt increases the likelihood that an attacker will be able to successfully guess a hashed value such as a password with a dictionary attack.
You are at risk if you answered yes to any of those questions.
function createMyAccount() {
$email = $_GET['email'];
$name = $_GET['name'];
$password = $_GET['password'];
$hash = hash_pbkdf2('sha256', $password, $email, 100000); // Noncompliant; salt (3rd argument) is predictable because initialized with the provided $email
$hash = hash_pbkdf2('sha256', $password, '', 100000); // Noncompliant; salt is empty
$hash = hash_pbkdf2('sha256', $password, 'D8VxSmTZt2E2YV454mkqAY5e', 100000); // Noncompliant; salt is hardcoded
$hash = crypt($password); // Noncompliant; salt is not provided
$hash = crypt($password, ""); // Noncompliant; salt is hardcoded
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), // Noncompliant ; use salt generated by default
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);
}
$salt = openssl_random_pseudo_bytes(16);
$hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);