Reversible One Way Hash in cryptography Module
The Python module cryptography provides a number of functions for hashing
data. However, some of the hash algorithms supported by cryptography are
insecure and should not be used. These insecure hash algorithms include MD5
and SHA1.
The MD5 hash algorithm is a cryptographic hash function that was designed in the early 1990s. MD5 is no longer considered secure, and passwords hashed with MD5 can be easily cracked by attackers.
The SHA-1 hash algorithm is also a cryptographic hash function that was designed in the early 1990s. SHA-1 is no longer considered secure, and passwords hashed with SHA-1 can be easily cracked by attackers.
Example
import cryptography
cryptography.hazmat.primitives.hashes.MD5()
Remediation
The recommendation is to swap the insecure hashing method to one of the more
secure alternatives, SHA256 or SHA512.
import cryptography
cryptography.hazmat.primitives.hashes.SHA256()
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY504) or
rule category name (reversible_one_way_hash).
- Using rule ID
- Using category name
import cryptography
# suppress: PY504
cryptography.hazmat.primitives.hashes.MD5()
import cryptography
# suppress: reversible_one_way_hash
cryptography.hazmat.primitives.hashes.MD5()