In cryptography, a "salt" is an extra piece of data which is included when hashing a password. This makes rainbow-table attacks more
difficult. Using a cryptographic hash function without an unpredictable salt increases the likelihood that an attacker could successfully find the
hash value in databases of precomputed hashes (called rainbow-tables).
This rule raises an issue when a hashing function which has been specifically designed for hashing passwords, such as PBKDF2, is used
with a non-random, reused or too short salt value. It does not raise an issue on base hashing algorithms such as sha1 or md5
as they should not be used to hash passwords.
function createMyAccount() {
$email = $_GET['email'];
$name = $_GET['name'];
$password = $_GET['password'];
$hash = hash_pbkdf2('sha256', $password, $email, 100000); // Noncompliant; salt (3rd argument) is predictable because initialized with the provided $email
$hash = hash_pbkdf2('sha256', $password, '', 100000); // Noncompliant; salt is empty
$hash = hash_pbkdf2('sha256', $password, 'D8VxSmTZt2E2YV454mkqAY5e', 100000); // Noncompliant; salt is hardcoded
$hash = crypt($password); // Noncompliant; salt is not provided; fails in PHP 8
$hash = crypt($password, ""); // Noncompliant; salt is hardcoded; fails in PHP 8
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), // Noncompliant ; use salt generated by default
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);
}
$salt = openssl_random_pseudo_bytes(16);
$hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);