Insecure Encryption Algorithm - MD5 - Elixir

Need

To secure user passwords using cryptographically secure hashing algorithms.

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Ecto (3.6.2 and above) for database query and manipulation
Usage of Comeonin for password hashing and encryption
Usage of Bcrypt_elixir for secure password hashing and verification

Description

Non compliant code

        defmodule MyApp.User do
  use Ecto.Schema

  schema "users" do
    field :password_hash, :string
  end

  def hash_password(password) do
    :crypto.hash(:md5, password)
  end
end

This code is vulnerable because it uses the MD5 hash function which is considered insecure. It could allow an attacker to easily crack captured credentials.

Steps

Replace the insecure MD5 hash function with a secure one like PBKDF2 or Bcrypt.
Use the Bcrypt library provided by 'Comeonin' and 'Bcrypt_elixir' to hash passwords.

Compliant code

        defmodule MyApp.User do
  use Ecto.Schema
  import Comeonin.Bcrypt

  schema "users" do
    field :password_hash, :string
  end

  def hash_password(password) do
    hashpwsalt(password)
  end
end

In this secure code example, we've replaced the MD5 hash function with Bcrypt, which is considered secure. This will effectively mitigate the risks associated with MD5.

References

263. Insecure encryption algorithm - MD5