From 02e96fa830c637f3d28f5018718cb98104dda66d Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 15 Jul 2025 10:38:36 +0200
Subject: [PATCH 01/17] Fixes #2585

---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 34 ++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 4d19d10..d49e526 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -1,7 +1,7 @@
 ---
-title: Improper Hashing
+title: Deprecated, Risky or Broken Hashing
 id: MASWE-0021
-alias: improper-hashing
+alias: weak-hashing
 platform: [android, ios]
 profiles: [L1, L2]
 mappings:
@@ -12,6 +12,7 @@ mappings:
 refs:
 - https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality
 - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
+- https://cwe.mitre.org/data/definitions/328.html
 - https://en.wikipedia.org/wiki/Collision_attack
 - https://csrc.nist.gov/pubs/ir/8547/ipd
 draft:
@@ -19,7 +20,34 @@ draft:
     sensitive context may compromise data integrity and authenticity.
   topics:
   - Broken hashing algorithms (e.g. MD5, SHA1, etc.)
-status: placeholder
+status: draft
 
 ---
 
+Choosing a deprecated, risky or broken hash algorithm, that is insufficiently collision resistant, may compromise the integrity and authenticity of data at rest and in transit by making the app vulnerable to collision attacks.
+
+when performing key derivation together with predictable input or in password hashing, the digest (or hash) of an improper implemented or used hash function may allow an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (second preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack/collision attack), given the actor can arbitrarily choose the inputs to be hashed and can do so a reasonable amount of times.
+
+What is regarded as "reasonable" varies by context and threat model, but in general, "reasonable" could cover any attack that is more efficient than brute force (i.e., on average, attempting half of all possible combinations). Note that some attacks might be more efficient than brute force but are still not regarded as achievable in the real world.
+
+Any algorithm that does not meet the above conditions will generally be considered risky or too "weak" for general use in hashing. When a collision attack is discovered and is found to be faster than a birthday attack, a hash function is often denounced as "broken". This is the case for MD5 and SHA-1.
+
+Another common issue is using a HKDF for key derivation with any type of integrity based hashing algorithm like MD5, SHA-1, SHA-2 or even SHA-3 on low-entropy input like user supplied passwords and pins. HKDF aren't designed for low-entropy inputs. Doing so will result in producing "weak" hashes that easily can be broken.
+
+## Impact
+
+- **Loss of Integrity and authenticity**: A deprecated, risky or broken hashing algorithm, may allow an attacker to compromise the integrity and authenticity of data at rest and in transit.
+- **Loss of Confidentiality**: A deprecated, risky or broken hashing algorithm may expose the preimage (input) and in so doing break the confidentiality.
+- **Risk of Brute-Force Attacks**: A deprecated, risky or broken hashing is susceptible to brute-force attacks.
+
+## Modes of Introduction
+
+- **using a deprecated, risky or broken hashing algorithm**: E.g: MD5 and SHA-1 have been identified to be vulnerable to collision attacks that are faster than a birthday attack. This means they are denounced as "broken".
+- **Using an insufficiently collision resistant hash**: Choosing a a hashing algorithm of insufficient length may result in loss of integrity or confidentiality.
+- **Using non-resource intensive algorithms on low-entropy input**: Using a integrity based hashing algorithm to hash low-entry input like pin numbers would make brute-force or dictionary attacks trivial.
+
+## Mitigations
+
+- **Choose collision resistant algorithm**: Choose an algorithm that is sufficiently collision resistant like the integrity algorithms SHA-256, SHA-384, SHA-512, BLAKE3 and the SHA-3 family
+- **Choose an algorithm with sufficient bit-lengths**: As our computers gets stronger, the hashes gets weaker, therefore, make sure that you can adjust the bit-length length of the algorithm of your choosing. When hashes are stored at rest, make sure to follow the software industry's long term recommendations (e.g: ["NIST: Transition to Post-Quantum Cryptography Standards](https://csrc.nist.gov/pubs/ir/8547/ipd)").
+- **Choose an algorithm fit for it's purpose**: When you want to ensure the data's integrity choose a integrity based algorithm. When you want to hash low-entropy input choose a password hash algorithm. Don't try to be clever. Follow recommendations and guidelines.

From 293a15a630fee7378647ba6c4497248f30a2f0bc Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 15 Jul 2025 16:07:50 +0200
Subject: [PATCH 02/17] Change status

---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index d49e526..535f629 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -15,12 +15,11 @@ refs:
 - https://cwe.mitre.org/data/definitions/328.html
 - https://en.wikipedia.org/wiki/Collision_attack
 - https://csrc.nist.gov/pubs/ir/8547/ipd
-draft:
-  description: Utilizing broken hashing algorithms such as MD5 and SHA1 in a security
-    sensitive context may compromise data integrity and authenticity.
-  topics:
-  - Broken hashing algorithms (e.g. MD5, SHA1, etc.)
-status: draft
+status: new
+
+---
+
+## Overview
 
 ---
 

From f7898fec839575d95ee32a87850148e3dff90e21 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 15 Jul 2025 17:18:49 +0200
Subject: [PATCH 03/17] Add back description and topic

---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 535f629..122e54b 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -15,6 +15,10 @@ refs:
 - https://cwe.mitre.org/data/definitions/328.html
 - https://en.wikipedia.org/wiki/Collision_attack
 - https://csrc.nist.gov/pubs/ir/8547/ipd
+description: Utilizing broken hashing algorithms such as MD5 and SHA1 in a security
+    sensitive context may compromise data integrity and authenticity.
+topics:
+- Broken hashing algorithms (e.g. MD5, SHA1, etc.)
 status: new
 
 ---

From a14aded5750107f68141d43ea67f718197bc3a74 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 15 Jul 2025 17:28:08 +0200
Subject: [PATCH 04/17] Correct title

---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 122e54b..5053317 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -1,7 +1,7 @@
 ---
-title: Deprecated, Risky or Broken Hashing
+title: Improper Hashing
 id: MASWE-0021
-alias: weak-hashing
+alias: improper-hashing
 platform: [android, ios]
 profiles: [L1, L2]
 mappings:

From 497566803c65f340f35c76e42b1ff9f44e398877 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 15 Jul 2025 17:34:00 +0200
Subject: [PATCH 05/17] Update MASWE-0021.md

---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 5053317..ed34b75 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -15,8 +15,7 @@ refs:
 - https://cwe.mitre.org/data/definitions/328.html
 - https://en.wikipedia.org/wiki/Collision_attack
 - https://csrc.nist.gov/pubs/ir/8547/ipd
-description: Utilizing broken hashing algorithms such as MD5 and SHA1 in a security
-    sensitive context may compromise data integrity and authenticity.
+description: Utilizing broken hashing algorithms such as MD5 and SHA1 in a security sensitive context may compromise data integrity and authenticity.
 topics:
 - Broken hashing algorithms (e.g. MD5, SHA1, etc.)
 status: new

From 53f44d11e6fdcf7dbbe5c52e5d1c6190f0f8dfa8 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Wed, 16 Jul 2025 13:04:26 +0200
Subject: [PATCH 06/17] Remove description and tooics

---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index ed34b75..922326c 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -15,9 +15,7 @@ refs:
 - https://cwe.mitre.org/data/definitions/328.html
 - https://en.wikipedia.org/wiki/Collision_attack
 - https://csrc.nist.gov/pubs/ir/8547/ipd
-description: Utilizing broken hashing algorithms such as MD5 and SHA1 in a security sensitive context may compromise data integrity and authenticity.
-topics:
-- Broken hashing algorithms (e.g. MD5, SHA1, etc.)
+
 status: new
 
 ---

From 3a4d5074e9ca747c95d54a18d42b58966d6035e5 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Wed, 16 Jul 2025 13:09:43 +0200
Subject: [PATCH 07/17] Remove new line

---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 922326c..1025c84 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -15,7 +15,6 @@ refs:
 - https://cwe.mitre.org/data/definitions/328.html
 - https://en.wikipedia.org/wiki/Collision_attack
 - https://csrc.nist.gov/pubs/ir/8547/ipd
-
 status: new
 
 ---

From c5705b90c65308400dd8e7030e8c8ea17636f659 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Mon, 3 Nov 2025 12:50:13 +0100
Subject: [PATCH 08/17] Update weaknesses/MASVS-CRYPTO/MASWE-0021.md

Co-authored-by: Dionysis Lorentzos <ddl449@gmail.com>
---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 1025c84..021c195 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -23,7 +23,7 @@ status: new
 
 ---
 
-Choosing a deprecated, risky or broken hash algorithm, that is insufficiently collision resistant, may compromise the integrity and authenticity of data at rest and in transit by making the app vulnerable to collision attacks.
+Choosing a deprecated, risky, or broken hash algorithm that is insufficiently collision-resistant may compromise data integrity.
 
 when performing key derivation together with predictable input or in password hashing, the digest (or hash) of an improper implemented or used hash function may allow an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (second preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack/collision attack), given the actor can arbitrarily choose the inputs to be hashed and can do so a reasonable amount of times.
 

From 0ea166473fd5883e4fcbc258d122b47925e7f8ed Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Mon, 3 Nov 2025 12:52:50 +0100
Subject: [PATCH 09/17] Update weaknesses/MASVS-CRYPTO/MASWE-0021.md

Co-authored-by: Dionysis Lorentzos <ddl449@gmail.com>
---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 021c195..e16fcfb 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -11,9 +11,12 @@ mappings:
 
 refs:
 - https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality
-- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
 - https://cwe.mitre.org/data/definitions/328.html
 - https://en.wikipedia.org/wiki/Collision_attack
+- https://csrc.nist.gov/pubs/sp/800/131/a/r2/final
+- https://csrc.nist.gov/pubs/sp/800/185/final
+- https://csrc.nist.gov/pubs/fips/202/final
+- https://csrc.nist.gov/pubs/fips/180-4/upd1/final
 - https://csrc.nist.gov/pubs/ir/8547/ipd
 status: new
 

From 8fcbceb9c66a01fc3707ebbc0a8d9a7c84806a70 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Mon, 3 Nov 2025 13:26:38 +0100
Subject: [PATCH 10/17] Refine descriptions of hashing algorithm risks

Updated language for clarity and consistency regarding hashing algorithms and their vulnerabilities.
---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index e16fcfb..e534aa8 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -30,26 +30,26 @@ Choosing a deprecated, risky, or broken hash algorithm that is insufficiently co
 
 when performing key derivation together with predictable input or in password hashing, the digest (or hash) of an improper implemented or used hash function may allow an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (second preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack/collision attack), given the actor can arbitrarily choose the inputs to be hashed and can do so a reasonable amount of times.
 
-What is regarded as "reasonable" varies by context and threat model, but in general, "reasonable" could cover any attack that is more efficient than brute force (i.e., on average, attempting half of all possible combinations). Note that some attacks might be more efficient than brute force but are still not regarded as achievable in the real world.
+What is regarded as "reasonable" varies by context and threat model, but in general, "reasonable" could cover any attack that is more efficient than brute force (i.e., on average, attempting half of all possible combinations). Note that some attacks might be more efficient than brute force, but are still not regarded as achievable in the real world.
 
-Any algorithm that does not meet the above conditions will generally be considered risky or too "weak" for general use in hashing. When a collision attack is discovered and is found to be faster than a birthday attack, a hash function is often denounced as "broken". This is the case for MD5 and SHA-1.
+Any algorithm not meeting the above conditions will be considered risky or too "weak" for general use in hashing. When a collision attack is discovered and is found to be faster than a birthday attack, a hash function is often denounced as "broken". This is the case for MD5 and SHA-1.
 
-Another common issue is using a HKDF for key derivation with any type of integrity based hashing algorithm like MD5, SHA-1, SHA-2 or even SHA-3 on low-entropy input like user supplied passwords and pins. HKDF aren't designed for low-entropy inputs. Doing so will result in producing "weak" hashes that easily can be broken.
+Another common issue is using an HKDF for key derivation with any type of integrity-based hashing algorithm like MD5, SHA-1, SHA-2, or even SHA-3 on low-entropy input like user-supplied passwords and pins. HKDF isn't designed for low-entropy inputs. Doing so will produce "weak" hashes that can easily be broken.
 
 ## Impact
 
-- **Loss of Integrity and authenticity**: A deprecated, risky or broken hashing algorithm, may allow an attacker to compromise the integrity and authenticity of data at rest and in transit.
-- **Loss of Confidentiality**: A deprecated, risky or broken hashing algorithm may expose the preimage (input) and in so doing break the confidentiality.
-- **Risk of Brute-Force Attacks**: A deprecated, risky or broken hashing is susceptible to brute-force attacks.
+- **Loss of authenticity**: A hashing algorithm, known to be vulnerable to collision attacks, may compromise the authenticity of the data as it allows for two data sources to be identical.
+- **Loss of integrity**: Algorithms that are susceptible to length extension attacks may allow an attacker to compromise the integrity of the data by appending data to the original data source.
+- **Loss of confidentiality**: A hashing algorithm, known to be vulnerable to pre-image attacks, increases the likelihood that encrypted data can be leaked through using cryptoanalysis or brute-force.
 
 ## Modes of Introduction
 
-- **using a deprecated, risky or broken hashing algorithm**: E.g: MD5 and SHA-1 have been identified to be vulnerable to collision attacks that are faster than a birthday attack. This means they are denounced as "broken".
-- **Using an insufficiently collision resistant hash**: Choosing a a hashing algorithm of insufficient length may result in loss of integrity or confidentiality.
-- **Using non-resource intensive algorithms on low-entropy input**: Using a integrity based hashing algorithm to hash low-entry input like pin numbers would make brute-force or dictionary attacks trivial.
+- **using a deprecated, risky, or broken hashing algorithm**: E.g., MD5 and SHA-1 have been identified to be vulnerable to collision attacks that are faster than a birthday attack.
+- **Using a hash susceptible to length extension attacks**: E.g., MD5 and SHA-1 have been identified to be vulnerable to length extension attacks.
+- **Using non-resource-intensive algorithms on low-entropy input**: Using an integrity-based hashing algorithm to hash low-entropy input like pin numbers would make brute-force or dictionary attacks trivial.
 
 ## Mitigations
 
-- **Choose collision resistant algorithm**: Choose an algorithm that is sufficiently collision resistant like the integrity algorithms SHA-256, SHA-384, SHA-512, BLAKE3 and the SHA-3 family
-- **Choose an algorithm with sufficient bit-lengths**: As our computers gets stronger, the hashes gets weaker, therefore, make sure that you can adjust the bit-length length of the algorithm of your choosing. When hashes are stored at rest, make sure to follow the software industry's long term recommendations (e.g: ["NIST: Transition to Post-Quantum Cryptography Standards](https://csrc.nist.gov/pubs/ir/8547/ipd)").
-- **Choose an algorithm fit for it's purpose**: When you want to ensure the data's integrity choose a integrity based algorithm. When you want to hash low-entropy input choose a password hash algorithm. Don't try to be clever. Follow recommendations and guidelines.
+- **Choose collision-resistant algorithm**: Choose an algorithm that is sufficiently collision-resistant, like the integrity algorithms SHA-2 (with 256, 384, 512 bits), BLAKE3 and the SHA-3 family
+- **Choose an algorithm with sufficient bit-lengths**: As our computers get stronger, the hashes get weaker, therefore, make sure that you can adjust the bit-length of the algorithm of your choosing. When hashes are stored at rest, make sure to follow the software industry's long-term recommendations (e.g, ["NIST: Transition to Post-Quantum Cryptography Standards](https://csrc.nist.gov/pubs/ir/8547/ipd)").
+- **Choose an algorithm fit for its purpose**: To ensure the data's integrity, choose an integrity-based algorithm. When you want to hash low-entropy input, choose a password hash algorithm. Don't try to be clever. Follow recommendations and guidelines.

From 2c832ec409f0c2ac6927e32f40a77e806373af36 Mon Sep 17 00:00:00 2001
From: Carlos Holguera <perezholguera@gmail.com>
Date: Sat, 15 Nov 2025 14:32:03 +0100
Subject: [PATCH 11/17] Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index e534aa8..3fb80da 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -28,7 +28,7 @@ status: new
 
 Choosing a deprecated, risky, or broken hash algorithm that is insufficiently collision-resistant may compromise data integrity.
 
-when performing key derivation together with predictable input or in password hashing, the digest (or hash) of an improper implemented or used hash function may allow an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (second preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack/collision attack), given the actor can arbitrarily choose the inputs to be hashed and can do so a reasonable amount of times.
+When performing key derivation with predictable input, or in password hashing, using an improperly implemented or chosen hash function can be dangerous. An adversary may be able to reasonably determine the original input (preimage attack), find another input that produces the same hash (second preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack/collision attack). These attacks are possible if the attacker can arbitrarily choose the inputs to be hashed and can do so a reasonable number of times.
 
 What is regarded as "reasonable" varies by context and threat model, but in general, "reasonable" could cover any attack that is more efficient than brute force (i.e., on average, attempting half of all possible combinations). Note that some attacks might be more efficient than brute force, but are still not regarded as achievable in the real world.
 
@@ -44,12 +44,12 @@ Another common issue is using an HKDF for key derivation with any type of integr
 
 ## Modes of Introduction
 
-- **using a deprecated, risky, or broken hashing algorithm**: E.g., MD5 and SHA-1 have been identified to be vulnerable to collision attacks that are faster than a birthday attack.
+- **Using a deprecated, risky, or broken hashing algorithm**: E.g., MD5 and SHA-1 have been identified to be vulnerable to collision attacks that are faster than a birthday attack.
 - **Using a hash susceptible to length extension attacks**: E.g., MD5 and SHA-1 have been identified to be vulnerable to length extension attacks.
 - **Using non-resource-intensive algorithms on low-entropy input**: Using an integrity-based hashing algorithm to hash low-entropy input like pin numbers would make brute-force or dictionary attacks trivial.
 
 ## Mitigations
 
 - **Choose collision-resistant algorithm**: Choose an algorithm that is sufficiently collision-resistant, like the integrity algorithms SHA-2 (with 256, 384, 512 bits), BLAKE3 and the SHA-3 family
-- **Choose an algorithm with sufficient bit-lengths**: As our computers get stronger, the hashes get weaker, therefore, make sure that you can adjust the bit-length of the algorithm of your choosing. When hashes are stored at rest, make sure to follow the software industry's long-term recommendations (e.g, ["NIST: Transition to Post-Quantum Cryptography Standards](https://csrc.nist.gov/pubs/ir/8547/ipd)").
+- **Choose an algorithm with sufficient bit-lengths**: As our computers get stronger, the hashes get weaker, therefore, make sure that you can adjust the bit-length of the algorithm of your choosing. When hashes are stored at rest, make sure to follow the software industry's long-term recommendations (e.g., ["NIST: Transition to Post-Quantum Cryptography Standards](https://csrc.nist.gov/pubs/ir/8547/ipd)").
 - **Choose an algorithm fit for its purpose**: To ensure the data's integrity, choose an integrity-based algorithm. When you want to hash low-entropy input, choose a password hash algorithm. Don't try to be clever. Follow recommendations and guidelines.

From 6d59a30046a911c96cedd5bfcc4b8a713f4bcbce Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Sun, 16 Nov 2025 00:10:13 +0100
Subject: [PATCH 12/17] Update weaknesses/MASVS-CRYPTO/MASWE-0021.md

Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 3fb80da..4907e17 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -24,17 +24,11 @@ status: new
 
 ## Overview
 
----
-
-Choosing a deprecated, risky, or broken hash algorithm that is insufficiently collision-resistant may compromise data integrity.
-
-When performing key derivation with predictable input, or in password hashing, using an improperly implemented or chosen hash function can be dangerous. An adversary may be able to reasonably determine the original input (preimage attack), find another input that produces the same hash (second preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack/collision attack). These attacks are possible if the attacker can arbitrarily choose the inputs to be hashed and can do so a reasonable number of times.
-
-What is regarded as "reasonable" varies by context and threat model, but in general, "reasonable" could cover any attack that is more efficient than brute force (i.e., on average, attempting half of all possible combinations). Note that some attacks might be more efficient than brute force, but are still not regarded as achievable in the real world.
+Using deprecated, risky, or broken hash algorithms may compromise data integrity and make offline attacks practical. In mobile apps this often appears in three areas: hashing for integrity of local data, hashing of passwords or PINs, and hashing or deriving keys from low-entropy identifiers. Weak or misused hash functions allow adversaries to tamper with data, find collisions, recover secrets, or brute force hashed values.
 
-Any algorithm not meeting the above conditions will be considered risky or too "weak" for general use in hashing. When a collision attack is discovered and is found to be faster than a birthday attack, a hash function is often denounced as "broken". This is the case for MD5 and SHA-1.
+Hash functions that no longer provide adequate [collision](https://en.wikipedia.org/wiki/Collision_attack) or [preimage](https://en.wikipedia.org/wiki/Preimage_attack) resistance, such as MD5 and SHA-1, enable adversaries to craft different inputs that produce the same hash or to recover the original input more efficiently than brute force. Similarly, using generic fast hash functions for low-entropy inputs like passwords, PINs, device identifiers, or email addresses allows practical offline brute force or dictionary attacks.
 
-Another common issue is using an HKDF for key derivation with any type of integrity-based hashing algorithm like MD5, SHA-1, SHA-2, or even SHA-3 on low-entropy input like user-supplied passwords and pins. HKDF isn't designed for low-entropy inputs. Doing so will produce "weak" hashes that can easily be broken.
+Hash-based KDFs such as HKDF are suitable only when the input secret already has high entropy. They are not appropriate as substitutes for password hashing functions because they do not provide work factors or memory hardness.
 
 ## Impact
 

From ed0ac56c7922c0affe640c79b5f275260e614a60 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Sun, 16 Nov 2025 00:14:37 +0100
Subject: [PATCH 13/17] Update weaknesses/MASVS-CRYPTO/MASWE-0021.md

Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 4907e17..9951b50 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -32,9 +32,9 @@ Hash-based KDFs such as HKDF are suitable only when the input secret already has
 
 ## Impact
 
-- **Loss of authenticity**: A hashing algorithm, known to be vulnerable to collision attacks, may compromise the authenticity of the data as it allows for two data sources to be identical.
-- **Loss of integrity**: Algorithms that are susceptible to length extension attacks may allow an attacker to compromise the integrity of the data by appending data to the original data source.
-- **Loss of confidentiality**: A hashing algorithm, known to be vulnerable to pre-image attacks, increases the likelihood that encrypted data can be leaked through using cryptoanalysis or brute-force.
+- **Account compromise**: Storing passwords, PINs, tokens, or other low-entropy secrets using fast generic hash functions such as SHA-256 allows attackers who obtain the hashes to perform offline brute force attacks and recover credentials.
+- **Loss of integrity**: If an app uses a collision-prone or structurally weak hash to protect configuration files or offline data, an attacker may modify the data and still pass integrity checks by generating a colliding value.
+- **Loss of confidentiality**: If encryption keys or key encryption keys are derived by hashing low-entropy input, such as device identifiers or user passwords, attackers can brute force the hash, recover the key, and decrypt protected data.
 
 ## Modes of Introduction
 

From 76d89338d9f63be0a8b8a7575a9cc8233c0085da Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Sun, 16 Nov 2025 00:18:12 +0100
Subject: [PATCH 14/17] Update weaknesses/MASVS-CRYPTO/MASWE-0021.md

Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 9951b50..eef061b 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -38,9 +38,10 @@ Hash-based KDFs such as HKDF are suitable only when the input secret already has
 
 ## Modes of Introduction
 
-- **Using a deprecated, risky, or broken hashing algorithm**: E.g., MD5 and SHA-1 have been identified to be vulnerable to collision attacks that are faster than a birthday attack.
-- **Using a hash susceptible to length extension attacks**: E.g., MD5 and SHA-1 have been identified to be vulnerable to length extension attacks.
-- **Using non-resource-intensive algorithms on low-entropy input**: Using an integrity-based hashing algorithm to hash low-entropy input like pin numbers would make brute-force or dictionary attacks trivial.
+- **Using a deprecated, risky, or broken hashing algorithm**: Examples include MD5 and SHA-1, which have practical collision attacks faster than the birthday bound.
+- **Using raw hash constructions where a MAC is required**: For example computing SHA-256(secret || data) or SHA-256(data || secret) instead of using HMAC, making the scheme vulnerable to length extension and structural attacks.
+- **Using non-resource-intensive algorithms on low-entropy input**: For example hashing passwords or PINs with a single SHA-256 call instead of using a proper password hashing function with salt and work factor.
+- **Using unsafe or overly short truncation of hashes**: For instance truncating a message digest to below recommended lengths reduces its security strength. [NIST SP 800-107 Rev 1](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf) indicates: "The length of truncated message digests used shall be at least twice the desired security strength required for the digital signature".
 
 ## Mitigations
 

From 8dec838d5e663666f3827b243da457af5f889dad Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Sun, 16 Nov 2025 00:18:45 +0100
Subject: [PATCH 15/17] Update weaknesses/MASVS-CRYPTO/MASWE-0021.md

Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index eef061b..7e390ae 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -45,6 +45,6 @@ Hash-based KDFs such as HKDF are suitable only when the input secret already has
 
 ## Mitigations
 
-- **Choose collision-resistant algorithm**: Choose an algorithm that is sufficiently collision-resistant, like the integrity algorithms SHA-2 (with 256, 384, 512 bits), BLAKE3 and the SHA-3 family
-- **Choose an algorithm with sufficient bit-lengths**: As our computers get stronger, the hashes get weaker, therefore, make sure that you can adjust the bit-length of the algorithm of your choosing. When hashes are stored at rest, make sure to follow the software industry's long-term recommendations (e.g., ["NIST: Transition to Post-Quantum Cryptography Standards](https://csrc.nist.gov/pubs/ir/8547/ipd)").
-- **Choose an algorithm fit for its purpose**: To ensure the data's integrity, choose an integrity-based algorithm. When you want to hash low-entropy input, choose a password hash algorithm. Don't try to be clever. Follow recommendations and guidelines.
+- **Choose collision-resistant algorithm with sufficient bit-lengths**: Choose SHA-2 (256, 384, or 512 bits) or the SHA-3 family for integrity and fingerprinting purposes.
+- **Match the algorithm to the purpose**: Use password hashing functions for passwords and PINs. Use hash based KDFs only when the input secret already has high entropy. Do not treat general purpose hash functions as password hashing or key stretching mechanisms.
+- **Avoid truncating hashes too aggressively**: As stated in [NIST SP 800-107 Rev 1](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf), ensure that when truncating digests the truncated length is at least twice the targeted security strength.

From ca8cb0c9c9610965125cce2d316ed22ce251914d Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 25 Nov 2025 09:44:30 +0100
Subject: [PATCH 16/17] Remove duplicate entries in MASWE-0021.md

Removed duplicate entries in the Modes of Introduction and Mitigations sections for clarity.
---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 7e390ae..1683cd6 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -39,12 +39,13 @@ Hash-based KDFs such as HKDF are suitable only when the input secret already has
 ## Modes of Introduction
 
 - **Using a deprecated, risky, or broken hashing algorithm**: Examples include MD5 and SHA-1, which have practical collision attacks faster than the birthday bound.
-- **Using raw hash constructions where a MAC is required**: For example computing SHA-256(secret || data) or SHA-256(data || secret) instead of using HMAC, making the scheme vulnerable to length extension and structural attacks.
-- **Using non-resource-intensive algorithms on low-entropy input**: For example hashing passwords or PINs with a single SHA-256 call instead of using a proper password hashing function with salt and work factor.
-- **Using unsafe or overly short truncation of hashes**: For instance truncating a message digest to below recommended lengths reduces its security strength. [NIST SP 800-107 Rev 1](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf) indicates: "The length of truncated message digests used shall be at least twice the desired security strength required for the digital signature".
+- **Using raw hash constructions where a MAC is required**: For example, computing SHA-256(secret || data) or SHA-256(data || secret) instead of using HMAC, making the scheme vulnerable to length extension and structural attacks.
+- **Using non-resource-intensive algorithms on low-entropy input**: For example, hashing passwords or PINs with a single SHA-256 call instead of using a proper password hashing function with salt and work factor.
+- **Using unsafe or overly short truncation of hashes**: For instance, truncating a message digest to below the recommended lengths reduces its security strength. [NIST SP 800-107 Rev 1](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf) indicates: "The length of truncated message digests used shall be at least twice the desired security strength required for the digital signature".
 
 ## Mitigations
 
 - **Choose collision-resistant algorithm with sufficient bit-lengths**: Choose SHA-2 (256, 384, or 512 bits) or the SHA-3 family for integrity and fingerprinting purposes.
-- **Match the algorithm to the purpose**: Use password hashing functions for passwords and PINs. Use hash based KDFs only when the input secret already has high entropy. Do not treat general purpose hash functions as password hashing or key stretching mechanisms.
-- **Avoid truncating hashes too aggressively**: As stated in [NIST SP 800-107 Rev 1](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf), ensure that when truncating digests the truncated length is at least twice the targeted security strength.
+- **Use HMAC instead of raw hash constructs to detect tampering**: To protect against data tampering, don't use raw hash constructs like SHA-256(secret || data) or SHA-256(data || secret); instead, use HMAC properly and transfer the secret confidentially beforehand to the recipient of the data.
+- **Match the algorithm to the purpose**: Use password hashing functions for passwords and PINs. Use hash-based KDFs only when the input secret already has high entropy. Do not treat general-purpose hash functions as password hashing or key stretching mechanisms.
+- **Avoid truncating hashes too aggressively**: As stated in [NIST SP 800-107 Rev 1](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf), ensure that when truncating digests, the truncated length is at least twice the targeted security strength.

From d889d1b9b27e5c94ab5b0a3ffae8f72e096bccb3 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 25 Nov 2025 10:42:57 +0100
Subject: [PATCH 17/17] Revise MASWE-0021 to clarify hashing practices

Removed mentions of raw hash constructions and HMAC from the modes of introduction and mitigations sections.
---
 weaknesses/MASVS-CRYPTO/MASWE-0021.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
index 1683cd6..55f3b7c 100644
--- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md
+++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md
@@ -39,13 +39,11 @@ Hash-based KDFs such as HKDF are suitable only when the input secret already has
 ## Modes of Introduction
 
 - **Using a deprecated, risky, or broken hashing algorithm**: Examples include MD5 and SHA-1, which have practical collision attacks faster than the birthday bound.
-- **Using raw hash constructions where a MAC is required**: For example, computing SHA-256(secret || data) or SHA-256(data || secret) instead of using HMAC, making the scheme vulnerable to length extension and structural attacks.
 - **Using non-resource-intensive algorithms on low-entropy input**: For example, hashing passwords or PINs with a single SHA-256 call instead of using a proper password hashing function with salt and work factor.
 - **Using unsafe or overly short truncation of hashes**: For instance, truncating a message digest to below the recommended lengths reduces its security strength. [NIST SP 800-107 Rev 1](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf) indicates: "The length of truncated message digests used shall be at least twice the desired security strength required for the digital signature".
 
 ## Mitigations
 
 - **Choose collision-resistant algorithm with sufficient bit-lengths**: Choose SHA-2 (256, 384, or 512 bits) or the SHA-3 family for integrity and fingerprinting purposes.
-- **Use HMAC instead of raw hash constructs to detect tampering**: To protect against data tampering, don't use raw hash constructs like SHA-256(secret || data) or SHA-256(data || secret); instead, use HMAC properly and transfer the secret confidentially beforehand to the recipient of the data.
 - **Match the algorithm to the purpose**: Use password hashing functions for passwords and PINs. Use hash-based KDFs only when the input secret already has high entropy. Do not treat general-purpose hash functions as password hashing or key stretching mechanisms.
 - **Avoid truncating hashes too aggressively**: As stated in [NIST SP 800-107 Rev 1](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf), ensure that when truncating digests, the truncated length is at least twice the targeted security strength.