Cryptographic Issues

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or ...

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptog...

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attac...

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking at...

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably...

Obscuring a password with a trivial encoding does not protect the password.

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...