Unsalted Hash

Easy+50 XPA07:2021 Identification and Authentication FailuresCWE-916

Password HashingSaltRainbow Table

Scenario

A password hashing function accepts a salt parameter but silently ignores it. Every call with the same password produces the same hash regardless of the salt provided.

Without salts, identical passwords produce identical hashes. An attacker with the hash database can use pre-computed rainbow tables to crack all matching passwords in one pass.

The fix is simple: include the salt in the hashed output so that even identical passwords produce unique hashes.

Salts ensure that identical passwords hash to different values, defeating pre-computed rainbow table attacks. Without salts, a single cracked hash exposes every user with the same password.

Your Tasks

Fix hashPassword so it incorporates the salt in the returned hash.
The returned hash field must differ when the same password is hashed with different salts.
Do not change the function signature.

Examples

Example 1 — Vulnerable — salt ignored

hashPassword('pass', 'salt1') // → { hash: 'hash:pass' }
hashPassword('pass', 'salt2') // → { hash: 'hash:pass' }
// identical! rainbow table attack works

Example 2 — Fixed — salt included

hashPassword('pass', 'salt1') // → { hash: 'hash:salt1:pass' }
hashPassword('pass', 'salt2') // → { hash: 'hash:salt2:pass' }

Constraints

›Return an object with shape { hash: string }.
›The hash must include the salt value — simulated as "hash:" + salt + ":" + password.
›No external packages.

Hint

References

CWE-916: Use of Password Hash With Insufficient Computational Effort OWASP Password Storage Cheat Sheet NIST SP 800-63B — Digital Identity Guidelines

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run