9/30/2025 • 2 min read

Cryptographic Failures: OWASP Top 10 Explained

Estimated reading time: ~11 minutes

The Problem

In 2021, a major Indian telecom leaked millions of plaintext passwords. No malware, no advanced exploit — just poor cryptography.

This is why Cryptographic Failures (formerly "Sensitive Data Exposure") remain high on the OWASP Top 10 list.

What It Is

Cryptographic failures happen when apps:

• Use weak algorithms (MD5, SHA-1)
• Fail to encrypt sensitive data at rest
• Transmit data without TLS
• Store keys in code or repos

Common Cryptographic Mistakes

1. Weak Password Hashing

   • Using MD5, SHA-1, or unsalted hashes
   • Example: password123 → 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

2. Insecure Data Transmission

   • HTTP instead of HTTPS
   • Weak TLS configurations
   • Missing certificate validation

3. Poor Key Management

   • Hardcoded encryption keys in source code
   • Keys stored in plaintext configuration files
   • No key rotation policies

Related: Learn about Security Misconfiguration for proper key storage and configuration management.

4. Inadequate Encryption
   • Using deprecated algorithms (DES, RC4)
   • Weak key lengths (< 128 bits)
   • Poor random number generation

Real-World Examples

• LinkedIn (2012): 117M passwords hashed with unsalted SHA-1, easily cracked.
• Equifax (2017): Data encrypted, but keys stored insecurely on servers.
• Adobe (2013): 38M user records with weak encryption, leading to massive password leaks.

Why It Matters

• PII theft → identity fraud.
• PCI/GDPR noncompliance → fines.
• Loss of customer trust.
• Regulatory penalties can reach millions of dollars.

How to Prevent It

• Always enforce TLS 1.3+.
• Use bcrypt, Argon2, or scrypt for passwords.
• Store encryption keys securely (KMS, Vault).
• Rotate keys regularly.
• Implement proper certificate management.
• Use strong random number generators.
• Validate all cryptographic inputs.

Best Practices

1. Password Security

   // Good: Use bcrypt with proper salt rounds
   const bcrypt = require('bcrypt');
   const hashedPassword = await bcrypt.hash(password, 12);
   

2. Data Encryption

   // Good: Use AES-256-GCM for data encryption
   const crypto = require('crypto');
   const algorithm = 'aes-256-gcm';
   const key = crypto.randomBytes(32);
   

3. Key Management

   • Use environment variables for keys
   • Implement key rotation policies
   • Store keys in dedicated key management systems

Tools

• OpenSSL for encryption checks.
• Rafter scans for hardcoded secrets and weak storage.
• OWASP Dependency Check for vulnerable crypto libraries.
• SSL Labs for TLS configuration testing.

Conclusion

Cryptography only works when used properly. Weak or missing crypto = sensitive data exposure.

Next Steps:

• Audit your current cryptographic implementations
• Implement proper key management
• Run a Rafter scan to ensure you're not storing keys or credentials insecurely

Related Resources

• OWASP Top 10: 2025 Developer Guide
• API Keys Explained
• Exposed API Keys: The Silent Killer