Formerly known as Sensitive Data Exposure. Poor cryptography leads to leaks of passwords, payment details, and personal data.
Common Mistakes¶
- Storing passwords in plaintext or with MD5/SHA1
- Using HTTP instead of HTTPS
- Hardcoded encryption keys in code
- Weak algorithms (DES, RC4, SHA1 for signatures)
- Insufficient key length (RSA < 2048 bit)
Proper Password Hashing¶
import bcrypt password = b”tajne_heslo” hashed = bcrypt.hashpw(password, bcrypt.gensalt(rounds=12)) bcrypt.checkpw(password, hashed) # True
OWASP Top 10: Cryptographic Failures¶
from argon2 import PasswordHasher ph = PasswordHasher(time_cost=3, memory_cost=65536, parallelism=4) hash = ph.hash(“tajne_heslo”) ph.verify(hash, “tajne_heslo”)
Data Encryption — AES-256-GCM¶
from cryptography.hazmat.primitives.ciphers.aead import AESGCM import os key = os.urandom(32) # 256-bit key nonce = os.urandom(12) aesgcm = AESGCM(key) ct = aesgcm.encrypt(nonce, b”citliva data”, b”aad”) pt = aesgcm.decrypt(nonce, ct, b”aad”)
Checklist¶
- Classify data by sensitivity
- Encrypt everything sensitive at rest and in transit
- Use AES-256, RSA-2048+, SHA-256+
- Hash passwords with Argon2id or bcrypt
- Store keys in a key vault (Azure KV, AWS KMS, Vault)
- Rotate keys regularly
- Enforce HTTPS with HSTS header
Key Takeaway¶
Encrypt everything sensitive, use modern algorithms, and never store keys in code. Cryptography is a field where ‘almost correct’ means ‘completely wrong’.