DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Swift

Swift

Made by DeepSource
Use Analyzer

Use of insufficient number of iterations during hash computation SW-S1001

Security
Critical
 cwe-327 cwe-916 cwe-693

The number of iterations in the password hashing process directly impacts the computational complexity and time it takes to compute the hash. A low number of iterations can be easily computed by attackers, allowing them to use techniques like brute force or rainbow table attacks to quickly crack the hashed passwords.

If a hashing scheme uses insufficient iterations, attackers can launch attacks to rapidly guess passwords by attempting different combinations. This compromises user accounts and can lead to unauthorized access. Using a high number of iterations slows down these attacks, making them significantly more time-consuming and resource-intensive for attackers.

The recommendation is to use a sufficient number of iterations in password hashing, typically set at a minimum of 120,000. This ensures that password hashes are resilient against common attacks.

Bad Practice

let hash = try PKCS5.PBKDF1(password: getRandomArray(), salt: getRandomArray(), iterations: 50000, variant: .sha256)

Recommended

let hash = try PKCS5.PBKDF1(password: getRandomArray(), salt: getRandomArray(), iterations: 150000, variant: .sha256)