Cryptographic Failures Explained (OWASP A02) — 2026
May 10, 2001 · by Pentevo
Cryptographic failures (#2 on the OWASP Top 10) happen when sensitive data isn't protected properly — because encryption was missing, weak, or misused. The result is exposed passwords, payment data, or personal information, often leading to a data breach.
The core idea
Sensitive data must be protected both in transit (moving across networks) and at rest (stored). A cryptographic failure is any gap in that protection — and crypto is unforgiving: small mistakes cause total failures.
Common failures
- No encryption in transit — sensitive data sent over plain HTTP instead of HTTPS.
- Weak or outdated algorithms — using broken hashes (MD5, SHA-1) or old TLS versions.
- Bad password storage — storing passwords in plaintext, or hashing without a salt and a slow algorithm.
- Hardcoded / exposed secrets — keys and credentials in source code or repos.
- Improper key management — weak, reused, or poorly stored keys.
- Rolling your own crypto — almost always a mistake.
How to do it right
- Encrypt in transit — TLS everywhere, modern versions only.
- Encrypt sensitive data at rest — and manage keys properly (use a KMS/secrets manager).
- Hash passwords correctly — use a strong, slow, salted algorithm (bcrypt, scrypt, or Argon2). Never plain hashes.
- Use vetted libraries — don't invent your own algorithms or protocols.
- Don't store what you don't need — the safest data is data you never collected.
- Keep secrets out of code — use environment variables / secret managers, never commit keys.
Why it matters
When this fails, the damage is direct: attackers walk away with readable credentials and personal data. Strong cryptography is what turns a stolen database into useless noise.
How it's found
Testers check for unencrypted transport, weak ciphers, exposed secrets, and poor password handling — part of any penetration test. Tools like Wireshark reveal unencrypted traffic instantly.
Related: Authentication Failures, Security Misconfiguration. Learn it all free at the Pentevo Academy.
Related reading
VPN Explained: What It Does (and Doesn't) — 2026
How a VPN actually works, what it protects you from, what it doesn't, and how to choose one — without the marketing hype.
FundamentalsWhat Is Penetration Testing? A Beginner's Guide (2026)
A plain-English guide to penetration testing: what it is, the five phases, the main types, and how it differs from a vulnerability scan.
FundamentalsZero-Day Vulnerabilities Explained (2026)
What a zero-day vulnerability is, why it's so dangerous, how zero-day exploits are used, and what defenders can do about the unknown.
FundamentalsWhat Is a CVE? Understanding Vulnerability IDs (2026)
What CVE means, how the numbering works, how CVSS severity and EPSS scores help you prioritize, and how to track the CVEs that matter.
Practice this hands-on
Pentevo Academy turns these concepts into guided lessons, videos and quizzes — free.
Start learning free