OWASP Top 10 – A02: Cryptographic Failures Explained

September 24, 2025

OWASP Top 10 – A02: Cryptographic Failures Explained

Published

Padlock resting on a computer keyboard representing cybersecurity and security inspection
Photo: Padlock on keyboard symbolizing security inspection. Credit: Kris from Pixabay

Learn what cryptographic failures are, why they matter, and how to avoid them. This simple guide covers OWASP Top 10's #2 risk to web application security.

What Are Cryptographic Failures?

Cryptographic failures happen when sensitive data is not properly protected using encryption. This used to be called "Sensitive Data Exposure" in older OWASP lists.

In simple terms, if your website or app stores, sends, or receives private data (like passwords, credit cards, or personal info) without proper security, it’s at risk. Attackers can steal or tamper with the data if it's not encrypted or if outdated encryption methods are used.

Why Are Cryptographic Failures Dangerous?

Failing to encrypt sensitive data can lead to:

  • Identity theft and fraud
  • Financial losses for users or the business
  • Data breaches and legal issues (e.g. GDPR, HIPAA violations)
  • Loss of customer trust

Once private data is exposed, it’s nearly impossible to fully undo the damage.

Common Examples of Cryptographic Failures

1. Storing Passwords in Plain Text

Passwords must always be hashed using strong algorithms (like bcrypt or Argon2). Storing them in plain text is a major security risk.

2. Using Weak or Outdated Algorithms

Algorithms like MD5 or SHA-1 are no longer secure. They can be cracked easily using modern tools.

3. Lack of HTTPS

If a website doesn’t use HTTPS, all data transferred between the user and server is exposed to attackers.

4. Insecure Encryption Key Storage

Encryption keys must be protected. If an attacker gets access to the keys, they can decrypt all the data.

How to Prevent Cryptographic Failures

  • Use HTTPS: Always use TLS (HTTPS) to protect data in transit.
  • Hash passwords: Use strong, slow hashing algorithms like bcrypt, scrypt, or Argon2.
  • Use modern encryption: AES-256 is a good standard for encrypting data at rest.
  • Store encryption keys securely: Use hardware security modules (HSMs) or secure key management services.
  • Avoid unnecessary data storage: Only store sensitive data when absolutely required.

Real-World Example

In 2018, a major airline suffered a data breach where over 380,000 customer payment details were stolen. The cause? Poor encryption and insecure storage of payment information. The company faced heavy fines and reputation damage.

Final Thoughts

Cryptographic failures are easy to avoid but often overlooked. Developers must ensure that sensitive data is always encrypted properly, both in storage and in transit. Staying up to date with security standards and best practices is key to keeping users and systems safe.