OWASP #2 (2021) – Cryptographic Failures

Cryptographic Failures happen when sensitive data isn’t properly protected - usually because encryption was misused, misconfigured, or skipped entirely.

Common issues include: - Storing passwords without hashing or using weak hashes (e.g. MD5). - Sending data over HTTP instead of HTTPS. - Hardcoding secrets or exposing private keys. - Poor key management or broken TLS settings.

These mistakes often lead to data breaches, account takeovers, or leaks of personal information. Most aren’t due to broken algorithms - they’re caused by bad practices or skipped precautions.

To prevent them: - Hash passwords with a strong algorithm (e.g. bcrypt). - Use HTTPS everywhere. - Store secrets securely (not in code). - Follow modern cryptography standards and use well-maintained libraries.

Good crypto is about decisions, not just algorithms. Don’t assume it’s handled - verify.