Cryptographic Failures (OWASP A02): Examples, Impact & Prevention

Cryptographic Failures Are Still OWASP's #2 Vulnerability

This post was originally written when the OWASP Top 10 2021 list was released. As of 2026, cryptographic failures remain ranked #2 (unchanged) and the real-world consequences have only grown more severe. The global average cost of a data breach reached $4.88 million in 2024, a 10% increase from the previous year, with cryptographic failures among the leading root causes. Two recent cases illustrate why this category refuses to drop off the list:

LastPass (2022–2025): LastPass suffered a breach where attackers exfiltrated encrypted customer password vaults alongside unencrypted metadata. Because the stolen vault backups could be subjected to offline cracking attempts, the consequences continued into 2025 when LastPass settled a class action lawsuit for $24.5 million for losses incurred by affected customers. The lesson: encryption that can be cracked offline is not sufficient protection.

Snowflake / AT&T / Ticketmaster (2024): Attackers accessed unencrypted user credentials on a Jira instance by exploiting an unsecured device, then used those credentials to breach Snowflake's cloud environment affecting Ticketmaster, AT&T, Santander, and others. None of the stolen accounts had MFA enabled. Storing credentials without proper encryption and key management made a massive cross-company breach possible from a single point of failure.

These are the predictable result of the same cryptographic weaknesses this article covers below: weak hashing, unencrypted data at rest, and poor key management. The fundamentals haven't changed. The cost of getting them wrong has.

Understanding Cryptographic Failures and Their Implications

As per OWASP, cryptographic failure is a symptom instead of a cause. Any failure responsible for the exposure of sensitive and critical data to an unauthorized entity can be considered a cryptographic failure.

There can be various reasons for cryptographic failure. Some of the Common Weakness Enumerations (CWEs) are:

• CWE-259: Use of Hard-coded Password,
• CWE-327: Broken or Risky Crypto Algorithm, and
• CWE-331: Insufficient Entropy.

Now that we have an idea of what cryptographic failure is, let’s try to understand how it impacts an organization and individuals.

Exploring Real-World Examples of Cryptographic Failures and Their Consequences

Cryptographic failures have led to significant security breaches in various real-world scenarios. The Heartbleed vulnerability exposed sensitive information in OpenSSL implementations, while the Dual EC DRBG backdoor raised concerns about intentional weaknesses in encryption algorithms. WhatsApp's flaw allowed attackers to inject spyware through voice calls, compromising user privacy. The Exactis debacle resulted in the exposure of 340 million individual records, including names, phone numbers, and emails of US citizens. Similarly, Facebook faced a major incident where millions of user passwords were stored in plain text, accessible to employees. These examples underscore the critical importance of robust cryptographic practices and the potential consequences of failures in encryption systems, highlighting the need for continuous vigilance and improvement in cybersecurity measures.

Analyzing the Impact of Cryptographic Failures on Security

Poor cryptography directly affects the security of an application and its data. Lack of security can let attackers steal and modify data to conduct fraud, and identity theft, which can lead to serious consequences.

Attackers try to steal keys, execute man-in-the-middle attacks, or steal data from the server, in transit, or from the browser. This again leads to compromise in sensitive information.

The impact of a cryptographic failure is not limited to stealing a piece of information from/of a user. Attackers can get hold of a complete database having thousands of sensitive information, data theft, public listing, breaches, and many critical problems with business-related data. You can also imagine a scenario where the credentials of an admin are stolen and the attacker gets complete control of a server. Cryptographic failures can result in irreparable damage to reputation and heavy lawsuits.

Assessing Vulnerabilities in Your Application Related to Cryptographic Failures

Let's say you have an application up and running. Now you want to assess if your application is vulnerable to cryptographic failures. Of course, if you want an answer to that backed by rigorous tests, you need to wait for those tests to happen. But some aspects are so simple that just asking yourself a couple of questions can give you a sense of confidence.

Here are some of those questions:

• Is data being transmitted in clear text?
• Does my system store sensitive data in clear text?
• Is my application using any old or weak encryption algorithms?
• Am I using default configurations and keys for my cryptography systems?
• Am I not following secure key management?
• Is my application not using secure connections with valid certificates?

If your answer to any of these questions is a “yes”, then you’re vulnerable to cryptographic failures. To understand how these questions decide your crypto-security and see how cryptographic failures happen, let’s look at some examples.

Examining Instances of Cryptographic Failures in Various Scenarios

Scenario 1: Breaking Unsalted Password Hashes Using Rainbow Tables

Just encoding passwords is not enough in this era. With powerful tools and techniques, unsalted hashes are not very difficult to crack. Password salting makes it difficult for any password cracking technique as the salt adds additional length to the password. The longer the salt, the more difficult it gets. However, If you’re storing unsalted passwords, an attacker can use a rainbow table to crack these passwords.

Scenario 2: Challenges with Automated Database Encryption and Decryption

Modern database management systems are taking cryptography seriously. That’s why they provide features like transparent data encryption (TDE) that take care of the encryption of data as they’re written into the database. But the problem is that this data is also automatically decrypted when you retrieve it. So this still makes it vulnerable to cryptographic failures from techniques such as SQL injections.

Scenario 3: Risks Associated with Lack of TLS Encryption

Supposedly a website does not use strong protocol. Attackers can take advantage of this and get access to your network traffic. This is not just limited to spying on the network traffic. To think of possibilities, an attacker can access all the requests made through your browser, modify requests, and steal cookies of users’ sessions. They can also force the connection from HTTPS to HTTP to get access to decrypted data. This can be fatal as sensitive and highly confidential data is being exposed.

Scenario 4: Dangers of Insecure Password Management

You’ve probably heard of many cases where an “intern” accidentally pushed some code with hard-coded credentials to a repository. This led to cryptographic failure. Imagine a developer having access to a database pushing a code with their credentials on a public server. What a malicious actor could do with that is scary! This is a lack of secure password/credentials management.

Strategies for Preventing and Addressing Cryptographic Failures

Importance of Encryption Keys in Preventing Cryptographic Failures

It is recommended that all the encryption keys should be created cryptographically. They should be stored in the form of byte arrays. Plain text passwords should always be converted into cipher text or encrypt them using these keys. It should only be done using a strong encryption method or algorithm. Using lengthy salts for sensitive data additionally increases security.

Implementing Secure Coding Practices to Avoid Cryptographic Failures

Secure coding is a set of guidelines that developers follow to integrate security within the application’s code. These practices ensure the use of strong cryptography practices in various parts of the application rather than only on the perimeter of the application’s components. Therefore reducing the chances of cryptographic failures.

Conducting Penetration Testing to Identify Cryptographic Vulnerabilities

Cryptography is one such aspect of security that’s difficult to get perfectly right. That’s why to ensure that you haven’t missed out on anything, you need to conduct regular penetration testing. Penetration testing lets you understand an attacker’s perspective of your application. Therefore, thinking like an attacker helps in identifying any cryptographic and other weaknesses and helps prioritize fixes.

In Summary, Understanding and Addressing Cryptographic Failures

Long story short, It is quite clear why the OWASP Top 10 has cryptographic failures on their list. This is something that shouldn't be taken lightly as companies big scale and small have been a victim of cryptographic failures.

The scope of strengthening cryptography in your application is rather large because it’s not just a single loophole or a bug to fix. It is a collection of weaknesses or poor cryptographic practices that need to be addressed. One thing is clear from all the things we’ve covered so far - It is crucial to assess the strength of your cryptography implementations in your application and work towards improving it. Understanding the introduction to cryptographic failures is crucial to assessing the strength of your cryptography implementations.

About Software Secured:

Software Secured offers hacker-led manual penetration testing combined with our proprietary testing stack to provide a more comprehensive test. Streamline multiple security projects in one place through Portal, the online reporting dashboard that allows you to manage tests, track SLAs, download reports, and view your security posture over time.

Software Secured offers baseline penetration testing for one-time proof of your application security or year-round security coverage through Penetration Testing as a Service (PTaaS). Software Secured also offers a variety of augmented services such as security code review, internal network pentesting, secure cloud review and threat modelling.

Cryptographic failures are one of those vulnerability classes where the gap between 'we use encryption' and 'our encryption is implemented correctly' is widest and where the difference only becomes clear under manual testing. A web application penetration test will assess your cryptographic implementation choices, key management practices, and transport security configuration against the failure patterns described in this post.