The program uses a weak encryption algorithm that cannot guarantee the confidentiality of sensitive data.
Antiquated encryption algorithms such as DES no longer provide sufficient protection for use with sensitive data. Encryption algorithms rely on key size as one of the primary mechanism to ensure cryptographic strength. Cryptographic strength is often measured by the time and computational power needed to generate a valid key. Advances in computing power have made it possible to obtain small encryption keys in a reasonable amount of time. For example, the 56-bit key used in DES posed a significant computational hurdle in the 1970's when the algorithm was first developed, but today DES can be cracked in less than a day using commonly available equipment.
[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage
[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A8 Insecure Storage
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3150.1 CAT II
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 327
[6] distributed.net DES
[7] FAQ About the Electronic Frontier Foundation's "DES Cracker" Machine Electronic Frontier Foundation
[8] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage
[9] Microsoft Security Fundamentals Microsoft
[10] Standards Mapping - FIPS200 - (FISMA) MP
[11] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Porous Defenses - CWE ID 327
[12] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 327
[13] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.3, Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.8
[17] SDL Development Practices Microsoft